FULL DISK ENCRYPTION ANTI-MALWARE SCAN

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Objections 2. Claim 18 is objected to because of the following informalities: In Claim 18, the preamble “A system for leveraging a Full Disk Encryption (FDE) pre-boot environment to conduct anti-malware scans during startup:” (emphasis added) should read as “A system for leveraging a Full Disk Encryption (FDE) pre-boot environment to conduct anti-malware scans during startup, the system comprising:”(emphasis added). Appropriate correction is required. Claim Rejections - 35 USC § 103 3. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 4. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. 5. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. 6. Claims 1-3, 9, 11-14 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Zimmer et al. (US 2011/0271347 Al, hereinafter Zimmer) in view of PALUMBO et al. (US 2016/0112444 A1, hereinafter Palumbo). Regarding Claim 1, Zimmer discloses a computer device leveraging a Full Disk Encryption (FDE) pre-boot environment to conduct anti-malware scans during startup, the computer device comprising (Zimmer: [Abstract] allowing the utilization of a virus scanner and cleaner that operates primarily in the pre boot phase of computer operation…,allowing the utilization of a virus scanner and cleaner that operates primarily during the loading of an operating system, ¶ [0019] files may be scanned during the pre-boot loading phase. In this context, "scanning a file for a virus" includes reading at least a portion of the file and asserting if the file includes or has been affected by a virus, ¶ [0031] an apparatus 200 and a system 201 that allows the utilization of a virus scanner and cleaner that operates primarily in the pre-boot phase of computer operation, ¶¶ [0011, 0032]): storage memory comprising a non-transitory computer readable medium including disk partitions comprising an EFI (Extensible Firmware Interface) system partition (ESP) and at least one other disk partition storing an operating system (Zimmer: ¶ [0015] in firmware, in a locally accessible non-volatile memory, a network accessible medium, or other storage location, ¶ [0013] the disk drives…, hardware system may perform actions substantially compliant with those defined in the Extensible Firmware Interface (EFI) specification. Extensible Firmware Interface (EFI Specification, ver 1.02, Dec. 12, 2000, Intel Corp. (hereafter "the EFI specification")(i.e. EFI system partition (ESP)), ¶ [0021] files may also be one of various operating system loaders, possibly conforming to the PE format and of an EFI subsystem type EFI_APPLICATION, ¶ [0023] a list of the files included in the operating system and loaded during the initial startup of the operating system may be scanned for viruses prior to the booting of the operating system, ¶ [0019]), wherein the operating system comprises operating system files including a registry (Zimmer: ¶ [0023] a list of the files included in the operating system and loaded during the initial startup of the operating system may be scanned for viruses prior to the booting of the operating system); processing memory comprising a temporary non-transitory computer readable medium (Zimmer: ¶[0013] a power-on self-test (POST) that tests various system components, such as, for example, Random Access Memory (RAM), ¶ [0023] all of the files loaded into memory during the pre-boot phase may be scanned for a virus as, or immediately prior to, the files are loaded into memory, ¶ [0039]); a communication interface configured to communicate with a reputation service using a network configuration (Zimmer: ¶ [0015] a system may select a virus database. In this context, a "virus database" may be a collection of data that includes information to facilitate the identification of viruses or files affected by viruses, Such a database may include virus signatures or checksums that correspond to particular viruses. It is contemplated that a virus database may include a number of separate databases or files. It is further contemplated that the database may be stored in a variety of locations, such as, for example, in firmware, in a locally accessible non-volatile memory, a network accessible medium, or other storage location, ¶ [0017] the virus database may be accessible via a network interface and maintained by a third party, such as, for example, an independent software vendor (ISV), independent BIOS vendor (IBV), an original equipment manufacturer (OEM), or an independent hardware vendor (IHV)…, the virus database may be synchronized with a remote database via a pre-boot networking scheme, such as, for example, the trivial file transfer protocol, ¶¶ [0016, 0018, 0036]); processor circuitry configured to (Zimmer: ¶ [0039] mobile or stationary computers, personal digital assistants, and similar devices that each include a processor, a storage medium readable or accessible by the processor (including volatile and non-volatile memory and/or storage elements), ¶[0031]): before loading the stored operating system, scan targeted memory for malware by (Zimmer: ¶ [0019] files may be scanned during the pre-boot loading phase. In this context, "scanning a file for a virus" includes reading at least a portion of the file and asserting if the file includes or has been affected by a virus, ¶ [0023] all of the files loaded into memory during the pre-boot phase may be scanned for a virus as, or immediately prior to, the files are loaded into memory, list of the files included in the operating system and loaded during the initial startup of the operating system may be scanned for viruses prior to the booting of the operating system): identifying indicators for objects stored in the targeted memory (Zimmer: ¶ [0019] "scanning a file for a virus" includes reading at least a portion of the file and asserting if the file includes or has been affected by a virus. This assertion may include the utilization of the virus database selected by the step illustrated by block 120, ¶ [0033] the file system handler may allow access to a variety of file systems such as those used by a variety of operating systems or those stored on a variety of volatile or non-volatile memories); receiving via the communication interface feedback from the reputation service, wherein: the feedback includes at least one verdict (Zimmer: ¶ [0015] a system may select a virus database…, to facilitate the identification of viruses or files affected by viruses, Such a database may include virus signatures or checksums that correspond to particular viruses. It is contemplated that a virus database may include a number of separate databases or files…, the database may be stored in a variety of locations, such as, for example, in firmware, in a locally accessible non-volatile memory, a network accessible medium, or other storage location, ¶ [0017] the virus database may be accessible via a network interface and maintained by a third party, such as, for example, an independent software vendor (ISV), independent BIOS vendor (IBV), an original equipment manufacturer (OEM), or an independent hardware vendor (IHV)…, the virus database may be synchronized with a remote database via a pre-boot networking scheme, such as, for example, the trivial file transfer protocol, ¶ [0018] the selected database may be accessed or loaded via a network interface, ¶ [0019] that files may be scanned during the pre-boot loading phase. In this context, "scanning a file for a virus" includes reading at least a portion of the file and asserting if the file includes or has been affected by a virus. This assertion may include the utilization of the virus database selected, ¶ [0026]); the targeted memory includes at least one of the ESP, the at least one disk partition, the registry of the operating system files, or the processing memory (Zimmer: ¶[0013] a power-on self-test (POST) that tests various system components, such as, for example, Random Access Memory (RAM), ¶ [0023] all of the files loaded into memory during the pre-boot phase may be scanned for a virus as, or immediately prior to, the files are loaded into memory, ¶ [0020] the files related to the operating system and similar early running programs may be scanned for viruses…, the pre-boot phase firmware may be aware and able to recognize the structure of some or all of the file systems accessible to the system. Some or all of the files on these file systems may be scanned for viruses, ¶ [0023] all of the files loaded into memory during the pre-boot phase may be scanned for a virus as, or immediately prior to, the files are loaded into memory, list of the files included in the operating system and loaded during the initial startup of the operating system may be scanned for viruses prior to the booting of the operating system, ¶ [0038] Pre-boot virus scanner 240 may utilize a Virus Database 250 to facilitate the scanning of files); and load the stored operating system based on the received feedback (Zimmer: ¶ [0026] the file's virus state may be ascertained…, virus state may include, but is not limited to: a file is not infected with a virus; a file is infected with a virus and the infection may be sufficiently removed, repaired, or cleaned; or a file is infected with a virus and the infection may not be sufficiently removed, repaired, or cleaned, ¶ [0037] Pre-boot virus scanner 240 may scan files before being loaded by the operating system loader 220 to determine if the files have been infected by or are a virus, ¶ [0030] if a file is infected and is not repairable an alternate action may be performed. Such actions may include, but are not limited to, deleting the file quarantining the file, marking the file as infected, loading the file normally, or performing another action, ¶ [0035] Operating system loader 220 may facilitate the loading of an operating system into memory 235. The loading of the operating system may be part of the transition from the pre-boot to runtime phases of operation, See Fig. 1—130- load selected virus database, 180 Perform alternative action, 190-boot OS). It is noted that Zimmer does not explicitly disclose: storage memory comprising a non-transitory computer readable medium including disk partitions comprising an EFI (Extensible Firmware Interface) system partition (ESP) and at least one other disk partition storing an operating system, wherein the operating system comprises operating system files including a registry; identifying indicators for objects stored in the targeted memory; sending the identified indicators to the reputation service via the communication interface; and receiving via the communication interface feedback from the reputation service, wherein: the feedback includes at least one verdict; the at least one verdict is associated with at least one indicator of the sent indicators; each of the indicators is associated with at least one of the stored objects, such that the at least one verdict is associated with at least one of the stored objects; and the at least one verdict identifies the associated at least one of the stored objects as malicious, suspicious, or benign. However, Palumbo from the same field of endeavor as the claimed invention discloses detecting malware on a client computer (Palumbo: [Abstract]), a "Stack of scanning modules" that receives an object to scan from an 'event listener' that interacts with the specific operating system (Palumbo: ¶ [0048], also see ¶ [0002]), skeleton can include a trace of one or more executed processes, file system locations of the processes, file names and hashes of the files which are in same directories as any of the processes in the skeleton, registry entries which are associated with the processes either by location or modification time in registry, their memory and file contents (Palumbo: ¶ [0054]), Remote primitives are used if the set of functionalities available by default at the client is not capable of extracting the information from the entity which is sufficient to reach a conclusion on whether the entity is malware or not (Palumbo: ¶ [0031]), Activities triggered by running the root primitive may be: unpack the file object, calculate full file hashes for embedded file objects, extract visible strings from specific embedded file objects (like * .DEX and * .SO files) and parse embedded binary XML file objects (Palumbo: ¶ [0032]), indicate an application running on a user equipment. This application is able to monitor, interpret and analyse events at the operating system. If it is necessary, the client contacts the server (Palumbo: ¶ [0035]), server receives the requests and data from clients, analyses them and makes the result of these analysis available to all of the clients (Palumbo: ¶ [0036]), the service can return not only the reputation of the hash, but also a set of instructions that is intended to increase the information available at the server-side regarding the item (Palumbo: ¶ [0037], Also see ¶ [0041]), client performs another lookup operation at the server to see what the result of the analysis is (S3)…, The client will use the value returned by the lookup either to take a final action regarding item, for example 'the file is malicious, delete it'. or it will execute the instructions that the Server has prepared regarding the item…, instructions might include, for example, a specific primitive that the client needs to execute, along with its possible arguments. The set of primitives that is available to the client includes the local primitives and root primitives (Palumbo: ¶ [0042]), an iterative interaction between the user equipment and the server aimed at determining whether the sample is malicious or not (i.e. benign) (Palumbo: ¶ [0026]), and client implements validation, which makes sure that the primitive is valid and trustworthy (Palumbo: ¶ [0043]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Palumbo in the teachings of Zimmer. A person having ordinary skill in the art would have been motivated to do so because delegating verdict determination to a remote reputation service eliminates the need for complex local detection in a limited environments, enables faster receipt of the classification results, and further ensure consistent outcomes across devices through centralized control. Regarding Claim 2, Claim 2 is dependent on Claim 1, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 1. Zimmer further discloses wherein the loading of the stored operating system based on the received feedback includes quarantining any of the at least one stored object identified as malicious (Zimmer: ¶ [0017] the virus database may be accessible via a network interface and maintained by a third party, such as, for example, an independent software vendor (ISV), independent BIOS vendor (IBV), an original equipment manufacturer (OEM), or an independent hardware vendor (IHV)…, the virus database may be synchronized with a remote database via a pre-boot networking scheme, ¶ [0030] if a file is infected and is not repairable an alternate action may be performed. Such actions may include, but are not limited to, deleting the file, quarantining the file, marking the file as infected, loading the file normally, or performing another action, ¶ [0035] Operating system loader 220 may facilitate the loading of an operating system into memory 235. The loading of the operating system may be part of the transition from the pre-boot to runtime phases of operation, See Fig. 1—130- load selected virus database, 180 Perform alternative action, 190-boot OS, ¶¶[0015, 0029, 0037]). Regarding Claim 3, Claim 3 is dependent on Claim 1, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 1. Zimmer further discloses wherein the indicators include at least one of a file hashes, file names, directory names, registry keys, or registry values stored in the targeted memory (Zimmer: ¶ [0020] a select number of files may be scanned, or, conversely, that substantially all files may be scanned. In one embodiment, only the files related to the operating system and similar early running programs may be scanned for viruses. In another embodiment, the pre-boot phase firmware may be aware and able to recognize the structure of some or all of the file systems accessible to the system. Some or all of the files on these file systems may be scanned for viruses, ¶ [0023] all of the files loaded into memory during the pre-boot phase may be scanned for a virus as, or immediately prior to, the files are loaded into memory, list of the files included in the operating system and loaded during the initial startup of the operating system may be scanned for viruses prior to the booting of the operating system, ¶ [0024] digital signature a signed file may be regarded as virus free and no scanning of the contents of the signed file may be performed). Zimmer does not explicitly disclose: wherein the indicators include at least one of a file hashes, file names, directory names, registry keys, or registry values stored in the targeted memory. Palumbo further discloses that a trace of one or more executed processes, file system locations of the processes, file names and hashes of the files which are in same directories as any of the processes in the skeleton, registry entries which are associated with the processes either by location or modification time in registry, their memory and file contents (Palumbo: ¶ [0054]), extracting the information from the entity which is sufficient to reach a conclusion on whether the entity is malware or not (Palumbo: ¶ [0031]), activities triggered by running the root primitive may be: unpack the file object, calculate full file hashes for embedded file objects, extract visible strings from specific embedded file objects (like * .DEX and * .SO files) and parse embedded binary XML file objects (Palumbo: ¶ [0032]), the service can return not only the reputation of the hash, but also a set of instructions that is intended to increase the information available at the server-side regarding the item (Palumbo: ¶ [0037]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Palumbo in the teachings of Zimmer. A person having ordinary skill in the art would have been motivated to do so because delegating verdict determination to a remote reputation service eliminates the need for complex local detection in a limited environments, enables faster receipt of the classification results, and further ensure consistent outcomes across devices through centralized control. Regarding Claim 9, Claim 9 is dependent on Claim 1, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 1. Zimmer further discloses wherein the processor circuitry is further configured to limit scanning to a limited set of objects stored in the storage memory and processing memory, such that the scanning of the targeted memory has a limited time duration (Zimmer: ¶ [0023] In a second specific example, a list of the files included in the operating system and loaded during the initial startup of the operating system may be scanned for viruses prior to the booting of the operating system. In a third specific embodiment, substantially all of the files accessible in the pre-boot phase may be scanned to viruses…, firmware may perform any of the operations illustrated by the previous three embodiments during the pre-boot phase, (i.e. implies that fewer number of items take limited time to scan)). Regarding Claim 11, Claim 11 is dependent on Claim 1, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 1. Zimmer further discloses wherein the reputation service comprises at least one of a local database, a remote database, or a remote service (Zimmer: ¶ [0015] a system may select a virus database. In this context, a "virus database" may be a collection of data that includes information to facilitate the identification of viruses or files affected by viruses, Such a database may include virus signatures or checksums that correspond to particular viruses. It is contemplated that a virus database may include a number of separate databases or files. It is further contemplated that the database may be stored in a variety of locations, such as, for example, in firmware, in a locally accessible non-volatile memory, a network accessible medium, or other storage location, ¶¶ [0016-0017]). Regarding Claim 12, Zimmer discloses a method performed by a computer device for leveraging a Full Disk Encryption (FDE) pre-boot environment to conduct anti-malware scans during startup, the method comprising (Zimmer: [Abstract] allowing the utilization of a virus scanner and cleaner that operates primarily in the pre boot phase of computer operation…,allowing the utilization of a virus scanner and cleaner that operates primarily during the loading of an operating system, ¶ [0019] files may be scanned during the pre-boot loading phase. In this context, "scanning a file for a virus" includes reading at least a portion of the file and asserting if the file includes or has been affected by a virus, ¶ [0031] allows the utilization of a virus scanner and cleaner that operates primarily in the pre-boot phase of computer operation, ¶ [0011] FIG. 1 is a flowchart illustrating an embodiment of a technique for allowing the utilization of virus scanning in accordance with the disclosed subject matter, See also Claim 1), and discloses, in combination with Palumbo, all the limitations of Claim 12 as discussed in Claim 1. Therefore, Claim 12 is rejected using the same rationales as discussed in Claim 1. Regarding Claims 13-14, Claims 13-14 are dependent on Claim 12, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 12. The combination of Zimmer and Palumbo discloses all the limitations of Claims 13-14 as discussed in Claims 2-3. Therefore, Claims 13-14 are rejected using the same rationales as discussed in Claims 2-3. Regarding Claim 18, Zimmer discloses a system for leveraging a Full Disk Encryption (FDE) pre-boot environment to conduct anti-malware scans during startup (Zimmer: [Abstract] allowing the utilization of a virus scanner and cleaner that operates primarily in the pre boot phase of computer operation…, allowing the utilization of a virus scanner and cleaner that operates primarily during the loading of an operating system, ¶ [0019] files may be scanned during the pre-boot loading phase. In this context, "scanning a file for a virus" includes reading at least a portion of the file and asserting if the file includes or has been affected by a virus, ¶ [0031] an apparatus 200 and a system 201 that allows the utilization of a virus scanner and cleaner that operates primarily in the pre-boot phase of computer operation, ¶¶ [0011, 0032]): a reputation service comprising computer hardware including a computer processor (Zimmer: ¶ [0015] a system may select a virus database…, to facilitate the identification of viruses or files affected by viruses, Such a database may include virus signatures or checksums that correspond to particular viruses. It is contemplated that a virus database may include a number of separate databases or files…, the database may be stored in a variety of locations, such as, for example, in firmware, in a locally accessible non-volatile memory, a network accessible medium, or other storage location, ¶ [0017] the virus database may be accessible via a network interface and maintained by a third party, such as, for example, an independent software vendor (ISV), independent BIOS vendor (IBV), an original equipment manufacturer (OEM), or an independent hardware vendor (IHV), ¶ [0039] techniques may be implemented in programs executing on programmable machines such as mobile or stationary computers, personal digital assistants, and similar devices that each include a processor, a storage medium readable or accessible by the processor (including volatile and non-volatile memory and/or storage elements)); a computer device comprising (Zimmer: [Abstract] allowing the utilization of a virus scanner and cleaner that operates primarily in the pre boot phase of computer operation…, allowing the utilization of a virus scanner and cleaner that operates primarily during the loading of an operating system, ¶ [0031] an apparatus 200 and a system 201 that allows the utilization of a virus scanner and cleaner that operates primarily in the pre-boot phase of computer operation): storage memory comprising a non-transitory computer readable medium including disk partitions comprising an EFI (Extensible Firmware Interface) system partition (ESP) and at least one other disk partition storing an operating system (Zimmer: ¶ [0015] in firmware, in a locally accessible non-volatile memory, a network accessible medium, or other storage location, ¶ [0013] the disk drives…, hardware system may perform actions substantially compliant with those defined in the Extensible Firmware Interface (EFI) specification. Extensible Firmware Interface (EFI Specification, ver 1.02, Dec. 12, 2000, Intel Corp. (hereafter "the EFI specification")(i.e. EFI system partition (ESP)), ¶ [0021] files may also be one of various operating system loaders, possibly conforming to the PE format and of an EFI subsystem type EFI_APPLICATION, ¶ [0023] a list of the files included in the operating system and loaded during the initial startup of the operating system may be scanned for viruses prior to the booting of the operating system, ¶ [0019]), wherein the operating system comprises operating system files including a registry (Zimmer: ¶ [0023] a list of the files included in the operating system and loaded during the initial startup of the operating system may be scanned for viruses prior to the booting of the operating system); processing memory comprising a temporary non-transitory computer readable medium (Zimmer: ¶[0013] a power-on self-test (POST) that tests various system components, such as, for example, Random Access Memory (RAM), ¶ [0023] all of the files loaded into memory during the pre-boot phase may be scanned for a virus as, or immediately prior to, the files are loaded into memory, ¶ [0039]); a communication interface configured to communicate with the reputation service using a network configuration (Zimmer: ¶ [0015] a system may select a virus database. In this context, a "virus database" may be a collection of data that includes information to facilitate the identification of viruses or files affected by viruses, Such a database may include virus signatures or checksums that correspond to particular viruses. It is contemplated that a virus database may include a number of separate databases or files. It is further contemplated that the database may be stored in a variety of locations, such as, for example, in firmware, in a locally accessible non-volatile memory, a network accessible medium, or other storage location, ¶ [0017] the virus database may be accessible via a network interface and maintained by a third party, such as, for example, an independent software vendor (ISV), independent BIOS vendor (IBV), an original equipment manufacturer (OEM), or an independent hardware vendor (IHV)…, the virus database may be synchronized with a remote database via a pre-boot networking scheme, such as, for example, the trivial file transfer protocol, ¶¶ [0016, 0018, 0036]); processor circuitry configured to (Zimmer: ¶ [0039] mobile or stationary computers, personal digital assistants, and similar devices that each include a processor, a storage medium readable or accessible by the processor (including volatile and non-volatile memory and/or storage elements), ¶[0031]): before loading the stored operating system, scan targeted memory for malware by (Zimmer: ¶ [0019] files may be scanned during the pre-boot loading phase. In this context, "scanning a file for a virus" includes reading at least a portion of the file and asserting if the file includes or has been affected by a virus, ¶ [0023] all of the files loaded into memory during the pre-boot phase may be scanned for a virus as, or immediately prior to, the files are loaded into memory, list of the files included in the operating system and loaded during the initial startup of the operating system may be scanned for viruses prior to the booting of the operating system): identifying indicators for objects stored in the targeted memory (Zimmer: ¶ [0019] "scanning a file for a virus" includes reading at least a portion of the file and asserting if the file includes or has been affected by a virus. This assertion may include the utilization of the virus database selected by the step illustrated by block 120, ¶ [0033] the file system handler may allow access to a variety of file systems such as those used by a variety of operating systems or those stored on a variety of volatile or non-volatile memories); and wherein the targeted memory includes at least one of the ESP, the at least one disk partition, the registry of the operating system files, or the processing memory (Zimmer: ¶[0013] a power-on self-test (POST) that tests various system components, such as, for example, Random Access Memory (RAM), ¶ [0023] all of the files loaded into memory during the pre-boot phase may be scanned for a virus as, or immediately prior to, the files are loaded into memory, ¶ [0020] the files related to the operating system and similar early running programs may be scanned for viruses…, the pre-boot phase firmware may be aware and able to recognize the structure of some or all of the file systems accessible to the system. Some or all of the files on these file systems may be scanned for viruses, ¶ [0023] all of the files loaded into memory during the pre-boot phase may be scanned for a virus as, or immediately prior to, the files are loaded into memory, list of the files included in the operating system and loaded during the initial startup of the operating system may be scanned for viruses prior to the booting of the operating system, ¶ [0038] Pre-boot virus scanner 240 may utilize a Virus Database 250 to facilitate the scanning of files); wherein the computer processor of the reputation service is configured to (Zimmer: ¶ [0015] a system may select a virus database…, to facilitate the identification of viruses or files affected by viruses, Such a database may include virus signatures or checksums that correspond to particular viruses. It is contemplated that a virus database may include a number of separate databases or files…, the database may be stored in a variety of locations, such as, for example, in firmware, in a locally accessible non-volatile memory, a network accessible medium, or other storage location, ¶ [0017] the virus database may be accessible via a network interface and maintained by a third party, such as, for example, an independent software vendor (ISV), independent BIOS vendor (IBV), an original equipment manufacturer (OEM), or an independent hardware vendor (IHV), ¶ [0039] techniques may be implemented in programs executing on programmable machines such as mobile or stationary computers, personal digital assistants, and similar devices that each include a processor, a storage medium readable or accessible by the processor (including volatile and non-volatile memory and/or storage elements)): wherein the processor circuitry of the computer device is further configured to: receive via the communication interface the sent feedback (Zimmer: ¶ [0015] a system may select a virus database…, to facilitate the identification of viruses or files affected by viruses, Such a database may include virus signatures or checksums that correspond to particular viruses. It is contemplated that a virus database may include a number of separate databases or files…, the database may be stored in a variety of locations, such as, for example, in firmware, in a locally accessible non-volatile memory, a network accessible medium, or other storage location, ¶ [0017] the virus database may be accessible via a network interface and maintained by a third party, such as, for example, an independent software vendor (ISV), independent BIOS vendor (IBV), an original equipment manufacturer (OEM), or an independent hardware vendor (IHV)…, the virus database may be synchronized with a remote database via a pre-boot networking scheme, such as, for example, the trivial file transfer protocol, ¶ [0018] the selected database may be accessed or loaded via a network interface, ¶ [0019] that files may be scanned during the pre-boot loading phase. In this context, "scanning a file for a virus" includes reading at least a portion of the file and asserting if the file includes or has been affected by a virus. This assertion may include the utilization of the virus database selected, ¶ [0026]); and load the stored operating system based on the received feedback (Zimmer: ¶ [0026] the file's virus state may be ascertained…, virus state may include, but is not limited to: a file is not infected with a virus; a file is infected with a virus and the infection may be sufficiently removed, repaired, or cleaned; or a file is infected with a virus and the infection may not be sufficiently removed, repaired, or cleaned, ¶ [0037] Pre-boot virus scanner 240 may scan files before being loaded by the operating system loader 220 to determine if the files have been infected by or are a virus, ¶ [0030] if a file is infected and is not repairable an alternate action may be performed. Such actions may include, but are not limited to, deleting the file quarantining the file, marking the file as infected, loading the file normally, or performing another action, ¶ [0035] Operating system loader 220 may facilitate the loading of an operating system into memory 235. The loading of the operating system may be part of the transition from the pre-boot to runtime phases of operation, See Fig. 1—130- load selected virus database, 180 Perform alternative action, 190-boot OS). It is noted that Zimmer does not explicitly disclose: storage memory comprising a non-transitory computer readable medium including disk partitions comprising an EFI (Extensible Firmware Interface) system partition (ESP) and at least one other disk partition storing an operating system, wherein the operating system comprises operating system files including a registry; identifying indicators for objects stored in the targeted memory; sending the identified indicators to the reputation service via the communication interface; wherein the computer processor of the reputation service is configured to: receive the sent indicators; analyze the received indicators to determine feedback, wherein: the feedback includes at least one verdict; the at least one verdict is associated with at least one indicator of the sent indicators; each of the indicators is associated with at least one of the stored objects, such that the at least one verdict is associated with at least one of the stored objects; and the at least one verdict identifies the associated at least one of the stored objects as malicious, suspicious, or benign; and send the determined feedback to the computer device. However, Palumbo from the same field of endeavor as the claimed invention discloses detecting malware on a client computer (Palumbo: [Abstract]), a "Stack of scanning modules" that receives an object to scan from an 'event listener' that interacts with the specific operating system (Palumbo: ¶ [0048], also see ¶ [0002]), skeleton can include a trace of one or more executed processes, file system locations of the processes, file names and hashes of the files which are in same directories as any of the processes in the skeleton, registry entries which are associated with the processes either by location or modification time in registry, their memory and file contents (Palumbo: ¶ [0054]), Remote primitives are used if the set of functionalities available by default at the client is not capable of extracting the information from the entity which is sufficient to reach a conclusion on whether the entity is malware or not (Palumbo: ¶ [0031]), Activities triggered by running the root primitive may be: unpack the file object, calculate full file hashes for embedded file objects, extract visible strings from specific embedded file objects (like * .DEX and * .SO files) and parse embedded binary XML file objects (Palumbo: ¶ [0032]), indicate an application running on a user equipment. This application is able to monitor, interpret and analyse events at the operating system. If it is necessary, the client contacts the server (Palumbo: ¶ [0035]), server receives the requests and data from clients, analyses them and makes the result of these analysis available to all of the clients (Palumbo: ¶ [0036]), the service can return not only the reputation of the hash, but also a set of instructions that is intended to increase the information available at the server-side regarding the item (Palumbo: ¶ [0037], Also see ¶ [0041]), client performs another lookup operation at the server to see what the result of the analysis is (S3)…, The client will use the value returned by the lookup either to take a final action regarding item, for example 'the file is malicious, delete it'. or it will execute the instructions that the Server has prepared regarding the item…, instructions might include, for example, a specific primitive that the client needs to execute, along with its possible arguments. The set of primitives that is available to the client includes the local primitives and root primitives (Palumbo: ¶ [0042]), an iterative interaction between the user equipment and the server aimed at determining whether the sample is malicious or not (i.e. benign) (Palumbo: ¶ [0026]), and client implements validation, which makes sure that the primitive is valid and trustworthy (Palumbo: ¶ [0043]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Palumbo in the teachings of Zimmer. A person having ordinary skill in the art would have been motivated to do so because delegating verdict determination to a remote reputation service eliminates the need for complex local detection in a limited environments, enables faster receipt of the classification results, and further ensure consistent outcomes across devices through centralized control. Regarding Claim 19, Claim 19 is dependent on Claim 18, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 18. Zimmer further discloses wherein: the reputation service includes memory storage comprising a non-transitory computer readable medium and storing a database (Zimmer: ¶ [0015] a system may select a virus database…, to facilitate the identification of viruses or files affected by viruses, Such a database may include virus signatures or checksums that correspond to particular viruses. It is contemplated that a virus database may include a number of separate databases or files…, the database may be stored in a variety of locations, such as, for example, in firmware, in a locally accessible non-volatile memory, a network accessible medium, or other storage location, ¶ [0017] the virus database may be accessible via a network interface and maintained by a third party, such as, for example, an independent software vendor (ISV), independent BIOS vendor (IBV), an original equipment manufacturer (OEM), or an independent hardware vendor (IHV), ¶ [0039] techniques may be implemented in programs executing on programmable machines such as mobile or stationary computers, personal digital assistants, and similar devices that each include a processor, a storage medium readable or accessible by the processor (including volatile and non-volatile memory and/or storage elements)) associating known indicators with known verdicts, such that each of the stored known indicators is associated with a known verdict. Zimmer does not explicitly disclose: wherein: the reputation service includes memory storage comprising a non-transitory computer readable medium and storing a database associating known indicators with known verdicts, such that each of the stored known indicators is associated with a known verdict; the analyzing of the received indicators to determine feedback comprises: comparing each of the received indicators to the database; and applying the associated known verdict to a received indicator when the received indicator matches one of the stored known indicators. Palumbo further discloses considering the reputation of the hash at the network server by comparing the hash to a database of hashes of known reputation (Palumbo: [Abstract]), a database of hashes of known entities; a module for determining the reputation of the hash by comparing the hash to the database of hashes and for determining if the file is malicious using the results of the comparison (Palumbo: ¶ [0015], Also see ¶ [0012]), server receives the requests and data from clients, analyses them and makes the result of these analysis available to all of the clients (Palumbo: ¶ [0036]), client interacts with this reputation service to establish an initial full file hash lookup at the server. Moreover, the service can return not only the reputation of the hash, but also a set of instructions (Palumbo: ¶ [0037]), the service can return not only the reputation of the hash, but also a set of instructions that is intended to increase the information available at the server-side regarding the item (Palumbo: ¶ [0037]), and information is used by the Server to determine a category or reputation for the item to which the uploaded data corresponds (Palumbo: ¶ [0041], Also see ¶ [0042]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Palumbo in the teachings of Zimmer. A person having ordinary skill in the art would have been motivated to do so because delegating verdict determination to a remote reputation service eliminates the need for complex local detection in a limited environments, enables faster receipt of the classification results, and further ensure consistent outcomes across devices through centralized control. 7. Claims 4-5 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Zimmer et al. (US 2011/0271347 Al, hereinafter Zimmer) in view of PALUMBO et al. (US 2016/0112444 A1, hereinafter Palumbo) and further in view of Sheng (US 2019/0007455 A1, hereinafter Sheng). Regarding Claim 4, Claim 4 is dependent on Claim 1, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 1. The combination Zimmer and Palumbo does not explicitly disclose wherein the network configuration includes at least one of network credentials, a list of one or more trusted certificate authorities (CAs), or connection information for a virtual local area network (VLAN) having access to limited external services including the reputation service. However, Sheng from the same field of endeavor as the claimed invention discloses a client security manager acquires a remote host name resolution file maintained by a remote server or a network security appliance and imports the remote host name resolution file into a local host name resolution file of the client computer system (Sheng: [Abstract]), the client machine connects to the network security appliance or a cloud-based network security service through a public network, for example, the Internet (Sheng: ¶ [0048]), and the network security appliance may push updated antivirus signatures to the client security manager in order that the client security manager may scan the client machine or network traffic directed to and/or originating from the client machine using the antivirus signatures. The network security appliance may also push other configuration information, for example, Certificate Authority (CA) certificates and other network security settings, to the client security manager (Sheng: ¶ [0049]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Sheng in the teachings of Zimmer. A person having ordinary skill in the art would have been motivated to do so for the client machine to comply with security policies of the private network (Sheng: ¶ [0049]), and further establishes encrypted secure channels between server and device using the certificate authority certificates. Regarding Claim 5, Claim 5 is dependent on Claim 1, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 1. The combination of Zimmer and Palumbo does not explicitly disclose wherein the processor circuitry is further configured to: run an agent on the loaded operating system, such that the agent obtains the network configuration from the operating system; and provide the obtained network configuration to the communication interface. Sheng further discloses a client security manager acquires a remote host name resolution file maintained by a remote server or a network security appliance and imports the remote host name resolution file into a local host name resolution file of the client computer system (Sheng: [Abstract]), most operating systems include a host name resolution (“hosts”) file that maps hostnames to Internet Protocol (IP) addresses (Sheng: ¶ [0003], ¶ [0026]), the client machine connects to the network security appliance or a cloud-based network security service through a public network, for example, the Internet (Sheng: ¶ [0048]), the network security appliance may also push other configuration information…, and other network security settings, to the client security manager (Sheng: ¶ [0049]), and the computer system 600 includes a bus 630, a processor 605, communication port (Sheng: ¶ [0064], also see ¶ [0066]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Sheng in the teachings of Zimmer. A person having ordinary skill in the art would have been motivated to do so for the client machine to comply with security policies of the private network (Sheng: ¶ [0049]), and further establishes encrypted secure channels between server and device using the certificate authority certificates. Regarding Claim 6, Claim 6 is dependent on Claim 1, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 1. The combination of Zimmer and Palumbo does not explicitly disclose wherein the communication interface is configured to receive the network configuration from a policy server. Sheng further discloses a client security manager acquires a remote host name resolution file maintained by a remote server or a network security appliance and imports the remote host name resolution file into a local host name resolution file of the client computer system (Sheng: [Abstract]),the network security appliance may also push other configuration information other network security settings, to the client security manager (Sheng: ¶ [0049]), a client security manager of a client machine connects to a network security appliance through a network, which can be a private network or a public network (Sheng: ¶ [0055]), different hosts files may be generated for different users, for example, based on environment information of their respective client machines and security policies of the network…, the hosts file may be retrieved from a cloud-based network security service or a third party (Sheng: ¶ [0057]), and the network security appliance may create security policies for the address groups. For example, a security policy may allow, block or log network traffic from/to hosts in the address groups (Sheng: ¶ [0060]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Sheng in the teachings of Zimmer. A person having ordinary skill in the art would have been motivated to do so for the client machine to comply with security policies of the private network (Sheng: ¶ [0049]). Regarding Claim 15, Claim 15 is dependent on Claim 12, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 12. The combination of Zimmer, Palumbo and Sheng discloses all the limitations of Claim 15 as discussed in Claim 4. Therefore, Claim 15 is rejected using the same rationales as discussed in Claim 4. Regarding Claim 16, Claim 16 is dependent on Claim 12, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 12. The combination of Zimmer, Palumbo and Sheng discloses all the limitations of Claim 16 as discussed in Claim 5. Therefore, Claim 16 is rejected using the same rationales as discussed in Claim 5. 8. Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Zimmer et al. (US 2011/0271347 Al, hereinafter Zimmer) in view of PALUMBO et al. (US 2016/0112444 A1, hereinafter Palumbo) and further in view of Roy et al. (US 2021/0382782 A1, hereinafter Roy). Regarding Claim 10, Claim 10 is dependent on Claim 1, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 1. Zimmer discloses wherein one or more peripheral devices are communicatively connected to the computer device (Zimmer: ¶ [0013] power-on self-test (POST) that tests various system components, such as, for example, Random Access Memory (RAM), the disk drives, and the keyboard, to see if they are properly connected and operating, ¶ [0015] a network accessible medium, or other storage location, ¶ [0017] a network interface, ¶ [0018] ) and the scanned targeted memory includes the peripheral devices. The combination of Zimmer and Palumbo does not explicitly disclose: wherein one or more peripheral devices are communicatively connected to the computer device and the scanned targeted memory includes the peripheral devices. However, Roy from the same field of endeavor as the claimed invention discloses a system receives data from peripheral devices connected to respective point-of-sale (POS) base terminals, the data captured using agents executing in the POS base terminals during periods of reduced activity of the POS base terminals (Roy: [Abstract]), and the remediation logic 250 includes performing a security task with respect to a POS peripheral device that has been swapped or added. A security task can include authenticating the POS peripheral device, scanning the POS peripheral device for malware (Roy: ¶ [0054]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Roy in the teachings of Zimmer. A person having ordinary skill in the art would have been motivated to do so to detect detection of hidden files and stop propagation of malware among systems from portable devices. 9. Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Zimmer et al. (US 2011/0271347 Al, hereinafter Zimmer) in view of PALUMBO et al. (US 2016/0112444 A1, hereinafter Palumbo), and further in view of Hopkins et al. (US 2011/0247017 A1, hereinafter Hopkins). Regarding Claim 8, Claim 8 is dependent on Claim 1, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 1. Zimmer further discloses wherein: the communication interface communicates with the reputation service using an application programming interface (API) (Zimmer: ¶ [0015] a system may select a virus database. In this context, a "virus database" may be a collection of data that includes information to facilitate the identification of viruses or files affected by viruses, Such a database may include virus signatures or checksums that correspond to particular viruses. It is contemplated that a virus database may include a number of separate databases or files. It is further contemplated that the database may be stored in a variety of locations, such as, for example, in firmware, in a locally accessible non-volatile memory, a network accessible medium, or other storage location, ¶ [0017] the virus database may be accessible via a network interface and maintained by a third party, such as, for example, an independent software vendor (ISV), independent BIOS vendor (IBV), an original equipment manufacturer (OEM), or an independent hardware vendor (IHV)…, the virus database may be synchronized with a remote database via a pre-boot networking scheme, such as, for example, the trivial file transfer protocol, ¶¶ [0016, 0018, 0036]). The combination of Zimmer and Palumbo does not explicitly disclose: wherein: the communication interface communicates with the reputation service using an application programming interface (API); and the processor circuitry is further configured to batch indicators before sending to the reputation service, such that a plurality of indicators are sent to the reputation service in a single call to the API. However, Hopkins from the same field of endeavor as the claimed invention discloses that mechanisms and methods for transmitting a group of data elements (Hopkins: [Abstract]), and the custom object grouping 400 includes custom objects 402, 404, and 406. In one embodiment, each of the custom objects 402, 404, and 406 may be distinct from each other. Additionally, the custom object grouping 400 includes objects 408A-C are associated with custom object 404, as well as objects 410A and 410B, which are associated with custom object 406.., objects 408A-C may be nested within custom object 404, and objects 410A and 410B may be nested within custom object 406. In this way, a single API call for custom object grouping 400 may transmit all custom objects 402, 404, and 406 to a destination system (Hopkins: ¶ [0044], also see ¶ [0075]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Hopkins in the teachings of Zimmer. A person having ordinary skill in the art would have been motivated to do so to enable more efficient data transmission, and improved synchronization and data management (Hopkins: [Abstract]). 10. Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Zimmer et al. (US 2011/0271347 Al, hereinafter Zimmer) in view of PALUMBO et al. (US 2016/0112444 A1, hereinafter Palumbo) and further in view of Komashinskiy et al. (US 2018/0159871 A1, hereinafter, Komashinskiy). Regarding Claim 20, Claim 20 is dependent on Claim 18, and the combination of Zimmer and Palumbo discloses all the limitations of Claim 18. Zimmer further discloses wherein: the reputation service includes memory storage comprising a non-transitory computer readable medium (Zimmer: ¶ [0015] a system may select a virus database…, to facilitate the identification of viruses or files affected by viruses, Such a database may include virus signatures or checksums that correspond to particular viruses. It is contemplated that a virus database may include a number of separate databases or files…, the database may be stored in a variety of locations, such as, for example, in firmware, in a locally accessible non-volatile memory, a network accessible medium, or other storage location, ¶ [0017] the virus database may be accessible via a network interface and maintained by a third party, such as, for example, an independent software vendor (ISV), independent BIOS vendor (IBV), an original equipment manufacturer (OEM), or an independent hardware vendor (IHV), ¶ [0039] techniques may be implemented in programs executing on programmable machines such as mobile or stationary computers, personal digital assistants, and similar devices that each include a processor, a storage medium readable or accessible by the processor (including volatile and non-volatile memory and/or storage elements) and storing a machine learning algorithm trained to generate a verdict based on an input indicator. The combination of Zimmer and Palumbo does not explicitly disclose wherein: the reputation service includes memory storage comprising a non-transitory computer readable medium and storing a machine learning algorithm trained to generate a verdict based on an input indicator. the analyzing of the received indicators to determine feedback comprises: applying the machine learning algorithm to each of the received indicators, such that the machine learning algorithm outputs the generated verdict for each of the received indicators; and applying the generated verdict to each of the received indicators. However, Komashinskiy from the same field of endeavor as the claimed invention discloses measures for machine learning based malware detection systems (Komashinskiy: [Abstract]), preparing a machine learning based malware detection system, according to exemplary embodiments of the present invention comprises an operation of analyzing (Sll) a set of training data, said set of training data comprising a plurality of training data elements, wherein each of said plurality of training data elements is associated with a respective one of at least two maliciousness related properties (Komashinskiy ¶ [0065]), analyzing operation (Sll) according to exemplary embodiments of the present invention may comprise an operation of determining a first feature space representing said set of training data, and an operation of mapping each of said plurality of training data elements to said first feature space. Here, it is noted that said malicious object detection model is learned (S12) on the basis of said plurality of training data elements respectively mapped to said first feature space (Komashinskiy ¶ [0070], ¶ [0073]), at least one feature combination out of said first feature combinations of said plurality of training data elements correspond to at least one feature combination out of said second feature combinations of said plurality of training data elements (Komashinskiy ¶ [0067]), said at least two maliciousness related properties include a classification as malicious and a classification as clean, and said malicious object detection model is adapted for classification of a maliciousness detection candidate as one of said at least two maliciousness related properties (Komashinskiy ¶ [0075]), and validation of a maliciousness detection candidate regarding deviation from said set of training data (Komashinskiy ¶ [0076]), Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Komashinskiy in the teachings of Zimmer. A person having ordinary skill in the art would have been motivated to do so as machine learning makes more accurate decisions by analyzing many features providing more reliable identification of malware. Allowable Subject Matter 11. Claims 7 and 17 are objected to as being dependent upon rejected base Claims 1 and 12 respectively, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion 12. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US-20140006760-A1 US-20200099719-A1 US-20200272734-A1 US-20110093953-A1 Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMEERA WICKRAMASURIYA whose telephone number is (571)272-1507. The examiner can normally be reached on MON-FRI 8AM-4:30PM EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W. KIM can be reached on (571)272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SAMEERA WICKRAMASURIYA/ Examiner, Art Unit 2494 /THEODORE C PARSONS/Primary Examiner, Art Unit 2494