DETAILED ACTION
Office Action Summary
Claims 1-22 are pending in the instant application.
Claims 1-22 are rejected under 35 USC § 102.
Applicants’ arguments filed 3/3/2026 have been considered but are not persuasive. (See “Applicant’s Arguments and Examiner’s Response” section below)
Applicant’s Arguments and Examiner’s Response
Applicants’ arguments filed 3/3/2026 have been considered but are not persuasive. Applicant argues: “Applicant respectfully submits that the claimed invention is novel over Gupta because, unlike Gupta, Applicant's claimed invention implements real-time monitoring of filesystem activity in kernel mode while the operating system kernel is running and, crucially, preemptively suspends the filesystem activity from being executed if it matches a policy. This immediate suspension-executed in kernel mode-prevents the potential "dwell time" during which malicious operations could be partially executed, thereby offering a significant technical advantage in safeguarding data integrity.”
However examiner respectfully disagrees as Satya, [0004]: "Embodiments of the present disclosure apply a fully deterministic approach to detect malicious attacks in real-time on a computer network (customer endpoint). The embodiments monitor, in real-time, operations on compute subsystems including file systems"; [0006]: "the computer systems and methods perform the monitoring by: (i) scanning at least one of: the file system"; [0090]: "In the run time stage 770e, triggered OS events are matched against the created policies", also see [0048] which teaches ring 0 kernel driver is operating in kernel mode and system call hooking is intercepting IS operations.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-22 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Satya et al. (US Pre-Grant Publication No: 2021/029170) hereinafter referred to as Satya.
As per claims 1 and 12, Satya teaches … while an operating system kernel is running, monitoring filesystem activity, in kernel mode, from the operating system kernel for matching at least one policy (Satya, [0004]: "Embodiments of the present disclosure apply a fully deterministic approach to detect malicious attacks in real-time on a computer network (customer endpoint). The embodiments monitor, in real-time, operations on compute subsystems including file systems"; [0006]: "the computer systems and methods perform the monitoring by: (i) scanning at least one of: the file system"; [0090]: "In the run time stage 770e, triggered OS events are matched against the created policies");
if the filesystem activity matches the at least one policy, suspending the filesystem activity from being executed by the operating system kernel (Satya, [0098]: "When an event is triggered, it reaches the idle state 1111 (Start State) where the new event is directly forwarded to a policy lookup state 1112. At the policy lookup state 1112, the forwarded event is now looked up against the policy datastore (LIH) 1113 for a match"; [0062]: "The rule-based policies may be configured based on security technical implementation guides (STIGS) or other security standards for file systems, registries, applications, OS kernels, and the like. These rules can then be used to detect anomalies in runtime and prevent, isolate, and/or terminate misbehaving application instances. The event rule expressions of the configured rule-based policies are stored in the event policy database"; [0071]: "the filesystem CRUD events engine 224 may detect a filesystem CRUD event which is transported to the analysis engine 125. The CPE 240 of the analysis engine 125 may process the detected event by performing certain checks and investigations based on one or more defined file level policies. Based on the one or more file level policies, the CPE 240 may identify and rank the process and file associated with the detected event to be an attack vector and communicate with the macro protection engine 251 or micro protection engine 253 (via the platform protection agent 255) to perform protection actions");
and performing at least one responsive action to the filesystem activity matching the at least one policy (Satya, [0068]: "The rule-based policies executed by the callback processing engine (CPE) 240 may be enforced at process or registry or filesystem granularity in embodiments of the platform ... perform a protection action of disabling the permissions of a file which has just been downloaded by the process based on applying an inclusion policy to CRUD events generated in relation to operations on the file").
As per claims 2 and 13, Satya teaches … in user mode memory, analyzing filesystem activity from the operating system kernel and generating at least one additional policy; sending the at least one additional policy to a memory storing the at least one policy; monitoring the filesystem activity based on the at least one policy and the at least one additional policy. (Satya, [0090]: "triggered OS events are matched against the created policies and a final action is carried out on all satisfied events")
As per claims 3 and 14, Satya teaches … wherein the at least one responsive action includes entering write protect mode, the write protect mode preventing the filesystem activity matching the at least one policy from writing to the filesystem. (Satya, [0096]: "the security platform, according to an embodiment, is implemented for a user's application and events are matched against created policies and actions to be taken in response to events are determined and carried out")
As per claims 4 and 15, Satya teaches … wherein the at least one responsive action includes activating an append only mode, the append only mode preventing deletion of log files and only allowing new entries to the log files. (Satya, [0096]: "the security platform, according to an embodiment, is implemented for a user's application and events are matched against created policies and actions to be taken in response to events are determined and carried out") AND (Satya, [0098]: "If no entry is found in the policy lookup sate 1112, then the event is not an interested event and the cleanup and log state 1115 is entered whereby a log is sent to the central management server (CMS)")
As per claims 5 and 16, Satya teaches … wherein the at least one responsive action includes logging the filesystem activity matching the at least one policy. (Satya, [0056]: "The detection engine 260 also collects (gathers) logs for a configured set of OS events from the OS event viewer 209. The set of events and associated processing rules may be defined by a user 237, 239 via the user interface 140 of the management servicer 135. The event logs are stored in an intermediate events database 223. The event extractor 230 reviews and harvests the event logs from the event database based on rules defined for the set of events")
As per claims 6 and 17, Satya teaches … wherein the at least one responsive action includes entering a save-attempted-write or copy-on-write mode, further comprising: copying contents of a destination memory address of the file system activity to a quarantine area of memory; performing the write in the quarantine area of memory; and analyzing the quarantine area of memory for malicious activity, and if malicious activity is detected, rejecting the filesystem activity, and if malicious activity is not detected, allowing the write to be performed in the filesystem. (Satya, [0056]: "The detection engine 260 also collects (gathers) logs for a configured set of OS events from the OS event viewer 209. The set of events and associated processing rules may be defined by a user 237, 239 via the user interface 140 of the management servicer 135. The event logs are stored in an intermediate events database 223. The event extractor 230 reviews and harvests the event logs from the event database based on rules defined for the set of events") AND (Satya, [0070]: "The detection engine 260 may place the file in a quarantine area on the customer endpoint 112 until the CPE 240 performs checks based on one or more defined file level policies to establish trust of the file. Once the CPE 240 establishes trust of the file then the ACLs for the file may be enabled, and/or the file may be allowed to execute")
As per claims 7 and 18, Satya teaches … wherein the at least one responsive action includes a honeypot mode, wherein the honeypot mode further includes: detecting an access to a honeypot file, the honeypot file being created to emulate a target of malware; copying contents of the honeypot file to a quarantine area of memory; performing the write in the quarantine area of memory; and analyzing the quarantine area of memory for malicious activity, and if malicious activity is detected, rejecting the filesystem activity, and if malicious activity is not detected, allowing the write to be performed in the filesystem.
As per claims 8 and 19, Satya teaches … wherein the file system is at least one of a cache, a memory, a hard disk, an external memory, an external hard drive, or a network-based memory. (Satya, [0098]: "If no entry is found in the policy lookup sate 1112, then the event is not an interested event and the cleanup and log state 1115 is entered whereby a log is sent to the central management server (CMS)")
As per claims 9 and 20, Satya teaches … wherein the policies include at least one of command line usage, memory interactions, process lineage, privilege use, script analysis, file access privileges, registry access, system calls, and a peripheral device. (Satya, [0056]: "The detection engine 260 also collects (gathers) logs for a configured set of OS events from the OS event viewer 209. The set of events and associated processing rules may be defined by a user 237, 239 via the user interface 140 of the management servicer 135. The event logs are stored in an intermediate events database 223. The event extractor 230 reviews and harvests the event logs from the event database based on rules defined for the set of events")
As per claims 10 and 21, Satya teaches … wherein the operating system kernel is being run by a processor, the processor executing the filesystem activity and monitoring the filesystem activity. (Satya, [0090]: "triggered OS events are matched against the created policies and a final action is carried out on all satisfied events")
As per claims 11 and 22, Satya teaches … further comprising determining a policy based on filesystem activity and its relationship to applications. (Satya, [0070]: "The detection engine 260 may place the file in a quarantine area on the customer endpoint 112 until the CPE 240 performs checks based on one or more defined file level policies to establish trust of the file. Once the CPE 240 establishes trust of the file then the ACLs for the file may be enabled, and/or the file may be allowed to execute")
Other Art of Record
US 2018/248896 A 1 (CHALLITA ANTON 10 [US] ET AL) 30 August 2018 (2018-08-30) teaches ([0037]: "The second major component is the detection component 4 , comprising kernel software 20, which operates at a kernel level and monitors ransomware activities in real time. Since it's located in the kernel-mode driver layer of the operating system"; [0038]: "The kernel software 20 provides the ability to i) monitor and analyze all User-Mode applications and processes running, ii) monitor all operations on the file system on the machine, including read/write operations on the files, iii) having permissions and rights to respond to suspicious actions of any running process or application"; [0040]: "As a pattern of massive change of individual files is potentially indicative of ransomware, as these actions are similar to actions habitually taken by ransomware once it starts operating, if files are changed massively (beyond a predetermined threshold) within a short time"; [0047]: "The response component 6 comprises a suspend/kill process module 30, a restore module 32 to restore files on demand, a capture encryption key module 34, and an eradicate/quarantine module"; [0048]: "The suspend/kill process module 30 suspends (pauses) or kills (terminates) a suspicious process associated with a Ransomware attack once it is identified, to prevent the malicious the process from executing further. In an embodiment, the default behavior is to "suspend" before "terminating"; [0053]: "The eradicate/quarantine module 36 may undo or reverse registry changes made by the ransomware (such as updating Auto-Start registries in Windows, or attempting to modify the Windows Volume Shadow Copy Service, VSS). Some Ransomware try to change the registry values, for example to auto-start every time the computer is restarted. The system searches and compares for changes to registries that have been made by suspicious files, and corrects them with reference to a stored copy"; [0034]: "The deception component contains a decoy component 10, which comprises files and/or folders that are placed strategically throughout the computer storage, and which may be periodically updated to update a time stamp or show recent activity. As soon as certain actions are taken on the decoys, such as encryption, detection, writing or editing, the detection component is notified. The goal of decoys is to detect ransomware encryption operations, and slow down the ransomware from achieving its objectives.)
US 2020/089876 A1 (AHARONI ELDAR [IL] ET AL) 19 March 2020 (2020-03-19) teaches ([0042]: "the disclosed system and process embodiments can detect malware (e.g., unauthorized/undesired processes executing on a target machine) attempting to encrypt files (e.g., honeypot files) on a target machine and perform responsive action(s) (e.g., prevention, alert, user notification, monitor and log, etc.)"; [0043]: "In an example implementation on a Microsoft Windows OS, a kernelmode solution (e.g., kernel mode on a Windows OS machine) detects a ransomware module executing on a target machine protected by the above described endpoint agent and prevents it from deleting/changing the target machine's original/non-honeypot files (e.g., or hold them for ransom as discussed above) by terminating the process from which it is executing on the target machine"; [0044]: "the endpoint agent forges honeypot files for each protected directory (e.g., configurable as a path pattern). For example the endpoint agent can be configured to generate a set of honeypot files with file name extensions and file contents that ransomware will often target for encryption. Specifically, the disclosed kernel-mode solution manipulates file system queries' results with falsified entries (e.g., intercepts file system queries and spoofs the responses to certain file system queries as described herein), in a way that heightens probability that they will be selected for encryption by the ransomware first/prior to selecting other files on the target machine for encryption (e.g., the target machine's original/non-honeypot files). As a result, once a ransomware associated process attempts to dispose of the original content of those files that are most likely the honeypot files forged by the endpoint agent, then the endpoint agent can detect such activities on the target machine and terminate the ransomware associated process(es) executing on the target machine and/or perform one or more responsive activities (e.g., prevention, alert, user notification, monitor and log, etc., which can be configured responsive actions based on various criteria)"; [0049]: "This concept of virtual files can be implemented utilizing the mini filter driver to monitor/intercept certain file system related actions/requests and providing certain modified responses (e.g., spoofed responses to certain file system related actions/requests, such as similarly described above and further described below)"; [0020]: "a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder (e.g., files/folders that are forged by the endpoint agent for detecting ransomware activity on the computing device, such as further described below); and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder"; [0057]: "given that ransomware is generally much less likely to use shell APls in order to enumerate and open files, legitimate directory open activities can be distinguished from potential malicious directory open activities on the protected machine. In an example implementation, upon an open request to a protected directory, the endpoint agent performs a stack walk on the user mode part of the request and searches for a return address in the stack (i.e., the address space of a Dynamic-Link Library (DLL) that handles shell related APls). If a return address is found, the request is deemed legitimate, and further enumeration queries upon resulting handle will not have falsified entries within them. The endpoint agent maintains a closed set of these shell related DLLs (e.g., example GUI/shell related DLLs on the Microsoft Windows OS include shlwapi.dll, shcore.dll, comdlg32.dll) and maintains their addresses in any executing process"))
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIMON P KANAAN whose telephone number is (571)270-3906. The examiner can normally be reached on M-F (7AM-4PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Catherine Thiaw can be reached on (571) 270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SIMON P KANAAN/Primary Examiner, Art Unit 2407