Prosecution Insights
Last updated: July 17, 2026
Application No. 19/040,674

RECOVERING INFECTED SNAPSHOTS IN A SNAPSHOT CHAIN

Non-Final OA §103
Filed
Jan 29, 2025
Priority
Nov 08, 2021 — provisional 63/276,822 +3 more
Examiner
NAJI, YOUNES
Art Unit
Tech Center
Assignee
Rubrik Inc.
OA Round
1 (Non-Final)
75%
Grant Probability
Favorable
1-2
OA Rounds
1y 5m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 75% — above average
75%
Career Allowance Rate
332 granted / 443 resolved
+14.9% vs TC avg
Strong +73% interview lift
Without
With
+73.1%
Interview Lift
resolved cases with interview
Typical timeline
2y 11m
Avg Prosecution
31 currently pending
Career history
494
Total Applications
across all art units

Statute-Specific Performance

§101
0.9%
-39.1% vs TC avg
§103
94.3%
+54.3% vs TC avg
§102
2.4%
-37.6% vs TC avg
§112
2.1%
-37.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 443 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to Applicant’s communication filed on 01/29/2025 Claims 1-20 have been examined. Information Disclosure Statement The information disclosure statements (IDSs) submitted on 06/11/2025, 06/04/2025, 03/12/2025 were filed. The submissions are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Torrington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b). Claims 1-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-18 of the Patent No. US 12,399,993 B2 in view of Warwick Below are the analysis to the claims. Claims 1-20 of Instant application Claim 1-18 of Patent No. US 12,399,993 B2 Claims 1,11,16 A method/apparatus/medium, comprising: Processor and memory storing instruction that ,when executed by the processor, cause the apparatus displaying a graphical user interface showing: at least a portion of respective snapshot chains for respective computing objects of a plurality of computing objects in a computing system, wherein the respective snapshot chains are represented as one or more individual snapshots, wherein a representation of an individual snapshot indicates whether the individual snapshot is infected with malware, and wherein the plurality of computing objects comprises at least two computing objects from among the following computing objects: a physical machine, a virtual machine, a file system, a database, or a network attached storage system, and a cut line extending across the respective snapshot chains, wherein respective snapshots in the respective snapshot chains that are positioned on a first side of the cut line are indicated for recovery by the cut line; receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain and is positioned on a second side of the cut line; and recovering, based at least in part on receiving the selection, for the respective computing objects, respective non-infected snapshots from the respective snapshot chains in accordance with the cut line and non-infected content in the infected snapshot. Claims 1,9,18 A method/apparatus/medium, comprising: Processor and memory storing instruction that ,when executed by the processor, cause the apparatus displaying a graphical user interface showing: at least a portion of respective snapshot chains for respective computing objects of a plurality of computing objects, wherein the respective snapshot chains are represented as one or more individual snapshots, wherein a representation of an individual snapshot indicates whether the individual snapshot is infected with malware, and wherein a first computing object of the plurality of computing objects is a first virtual machine, a first file system, a first database, or a first network attached storage system, and a second computing object of the plurality of computing objects is a second virtual machine, a second file system, a second database, or a second network attached storage system, and across the respective snapshot chains, a cut line delineating infected snapshots from non-infected snapshots, wherein snapshots above the cut line are restricted from being recovered; receiving a selection, from a user, of an infected snapshot in a snapshot chain of the respective snapshot chains associated with a computing object of the respective computing objects, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain and is positioned above the cut line…; and recovering, in response to the command, for the respective computing objects, a non-infected snapshot from the respective snapshot chains in accordance with the cut line and at least one of the non-infected content in the selected infected snapshot. Claims 2,12,17 wherein the cut line delineates infected snapshots from non-infected snapshots, and wherein snapshots that are positioned on a second side of the cut line are restricted from being recovered.. Claims 1,9,18 across the respective snapshot chains, a cut line delineating infected snapshots from non-infected snapshots, wherein snapshots above the cut line are restricted from being recovered; Claims 3,13,18 mounting, in response to the selection, the infected snapshot; and determining, based at least in part on mounting the infected snapshot, which content in the infected snapshot is not infected. Claims 1,9,18 mounting, in response to the selection, the selected infected snapshot; determining, based at least in part on mounting the selected infected snapshot, which content in the selected infected snapshot are not infected; Claims 4 ,14,19 receiving, based at least in part on the selection, a command to recover non- infected content for the respective computing objects. Claims 1,9,18 receiving, based at least in part on the selection, a command to recover, for the respective computing objects, non-infected data Claims 5,15,20 identifying respective most recent snapshots in the respective snapshot chains that are not infected by malware, wherein the cut line is based at least in part on the respective most recent snapshots in each of the respective snapshot chains. Claims 1,9,18 wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain and is positioned above the cut line; Claims 2,10 identifying a most recent snapshot in the respective snapshot chains that is not infected by malware, Claim 6 wherein identifying the respective most recent snapshots comprises: mounting snapshots in the respective snapshot chains in reverse chronological order; and determining, for each of the mounted snapshots, whether the mounted snapshot is infected by malware Claim 2,10 identifying a most recent snapshot in the respective snapshot chains that is not infected by malware, wherein the identifying comprises mounting the snapshots in the respective snapshot chains in reverse chronological order and determining whether the mounted snapshots are infected by malware. Claim 7 refraining from mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain. Claims 3 ,11 wherein mounting the snapshots and determining whether the snapshots are infected is repeated until [[a]]at least one non-infected snapshot in the respective snapshot chains is identified. Claim 8 mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain Claims 4,12 wherein mounting the snapshots and determining whether the snapshots are infected is repeated past at least one non-infected snapshot in the respective snapshot chains being identified. Claim 9 wherein determining whether the mounted snapshots are infected comprises: applying YARA rules and hash matching to the mounted snapshots. Claims 2, 6 mounting the snapshots in the respective snapshot chains in reverse chronological order and determining whether the mounted snapshots are infected by malware. wherein determining whether the snapshots are infected comprises: applying YARA rules and hash matching to the mounted snapshot. Claim 10 hydrating data in a mounted snapshot before determining whether the mounted snapshots are infected. Claims 2, 8 mounting the snapshots in the respective snapshot chains in reverse chronological order and determining whether the mounted snapshots are infected by malware. hydrating data in a mounted snapshot before determining whether the snapshots are infected. With regards to claims 1,11,16, the Patent No. US 12,399,993 B2 teaches the plurality of object and a cut line extending across the respective snapshot chains, wherein respective snapshots in the respective snapshot chains that are positioned on a first side of the cut line (See Claim 1 - across the respective snapshot chains, a cut line delineating infected snapshots from non-infected snapshots, wherein snapshots above the cut line). However, Patent No. US 12,399,993 B2 does not explicitly teach that the plurality of object are in a computer system and the respective snapshots are indicated for recovery Warwick teaches the plurality of object are in a computer system and the respective snapshots are indicated for recovery (Fig.4 &9, ¶0112-¶0113 , ¶0009) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Patent No. US 12,399,993 B2 to include the teachings of Warwick. The motivation for doing so is to restore a computer system following an infection event. With regards to claims 5, 15,20, Patent No. US 12,399,993 B2 teaches identifying respective most recent snapshots in the respective snapshot chains that are not infected by malware, wherein the cut line is based at least in part on the respective most recent snapshots in each of the respective snapshot chains (See Claim 1 & 2 – teaches identifying a most recent snapshot in the respective snapshot chains that are not infected by malware, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain and is positioned above the cut line – Note; This means that the cut line is based on most recent snapshots in each snapshot above or below cut line). With regards to claim 7, Patent No. US 12,399,993 B2 teaches refraining from mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain (See claim 3 -. mounting the snapshots is repeated until at least one non-infected snapshot in the respective snapshot chains is identified – Note: This means that the snapshots are refrained ( not repeated) after non infected snapshot is identified. With regards to claim 8, Patent No. US 12,399,993 B2 teaches mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain (See claim 4 - wherein mounting the snapshots is repeated past at least one non-infected snapshot in the respective snapshot chains being identified.– Note: This means that the snapshots are mounted after non infected snapshot is identified. With regards to Patent No. US 12,386,959 Claims 1-2,4,6-12,14,16—17,19 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-18 of the Patent No. US 12,386,959 B2 in view of Warwick Claims 3,13,18 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-18 of the Patent No. US 12,386,959 B2 in view of Borate Below are the analysis to the claims. Claims 1-4,6-14,16-19 of Instant application Claim 1-18 of Patent No. US 12,386,959 B2 Claims 1,11,16 A method/apparatus/medium, comprising: Processor and memory storing instruction that ,when executed by the processor, cause the apparatus displaying a graphical user interface showing: at least a portion of respective snapshot chains for respective computing objects of a plurality of computing objects in a computing system, wherein the respective snapshot chains are represented as one or more individual snapshots, wherein a representation of an individual snapshot indicates whether the individual snapshot is infected with malware, and wherein the plurality of computing objects comprises at least two computing objects from among the following computing objects: a physical machine, a virtual machine, a file system, a database, or a network attached storage system, and a cut line extending across the respective snapshot chains, wherein respective snapshots in the respective snapshot chains that are positioned on a first side of the cut line are indicated for recovery by the cut line; receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain and is positioned on a second side of the cut line; and recovering, based at least in part on receiving the selection, for the respective computing objects, respective non-infected snapshots from the respective snapshot chains in accordance with the cut line and non-infected content in the infected snapshot. Claims 1,9,18 A method/apparatus/medium, comprising: Processor and memory storing instruction that ,when executed by the processor, cause the apparatus identifying, in respective snapshot chains for respective computing objects of a plurality of computing objects, a most recent, non-infected snapshot, wherein the identifying comprises mounting snapshots in the respective snapshot chains and determining whether the mounted snapshots are infected by malware, and wherein a first computing object of the plurality of computing objects is a first virtual machine, a first file system, a first database, or a first network attached storage system, and a second computing object of the plurality of computing objects is a second virtual machine, a second file system, a second database, or a second network attached storage system; displaying a graphical user interface showing: at least a portion of the respective snapshot chains, wherein the respective snapshot chains are represented as one or more individual snapshots, and wherein a representation of an individual snapshot indicates whether the individual snapshot is infected with malware, and across the respective snapshot chains, a cut line delineating infected snapshots from non-infected snapshots, wherein snapshots above the cut line are restricted from being recovered; receiving a command to recover, for the respective computing objects, non-infected data; and recovering, in response to the command, for the respective computing objects, a non-infected snapshot from the respective snapshot chains in accordance with the cut line Claims 2,12,17 wherein the cut line delineates infected snapshots from non-infected snapshots, and wherein snapshots that are positioned on a second side of the cut line are restricted from being recovered.. Claims 1,9,18 a cut line delineating infected snapshots from non-infected snapshots, wherein snapshots above the cut line are restricted from being recovered are restricted from being recovered; Claims 4 ,14,19 receiving, based at least in part on the selection, a command to recover non- infected content for the respective computing objects. Claims 1,9,18 receiving a command to recover, for the respective computing objects, non-infected data Claim 6 wherein identifying the respective most recent snapshots comprises: mounting snapshots in the respective snapshot chains in reverse chronological order; and determining, for each of the mounted snapshots, whether the mounted snapshot is infected by malware Claim 3 identifying, in respective snapshot chains for respective computing objects of a plurality of computing objects, a most recent, non-infected snapshot, wherein the identifying comprises mounting snapshots in the respective snapshot chains and determining whether the mounted snapshots are infected by malware, wherein the identifying comprises: mounting the snapshots in the respective snapshot chains in reverse chronological order Claim 7 refraining from mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain. Claim 3 wherein the mounting and the determining is repeated until at least one non-infected snapshot in the respective snapshot chains is identified.. Claim 8 mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain Claim 4 wherein the mounting and the determining is repeated past at least one non-infected snapshot in the respective snapshot chains being identified Claim 9 wherein determining whether the mounted snapshots are infected comprises: applying YARA rules and hash matching to the mounted snapshots. Claims 1, 6 identifying, in respective snapshot chains for respective computing objects of a plurality of computing objects, a most recent, non-infected snapshot, wherein the identifying comprises mounting snapshots in the respective snapshot chains and determining whether the mounted snapshots are infected by malware,. wherein the determining comprises: applying YARA rules and hash matching to a mounted snapshot.. Claim 10 hydrating data in a mounted snapshot before determining whether the mounted snapshots are infected. Claims 1, 8 identifying, in respective snapshot chains for respective computing objects of a plurality of computing objects, a most recent, non-infected snapshot, wherein the identifying comprises mounting snapshots in the respective snapshot chains and determining whether the mounted snapshots are infected by malware,. hydrating data in a mounted snapshot before the determining. With regards to claims 1,11,16, the Patent No. US 12,386,959 B2 teaches the plurality of object and a cut line extending across the respective snapshot chains, wherein respective snapshots in the respective snapshot chains that are positioned on a first side of the cut line (See Claim 1 - across the respective snapshot chains, a cut line delineating infected snapshots from non-infected snapshots, wherein snapshots above the cut line). However, Patent No. US 12,386,959 B2 does not explicitly teach that the plurality of object are in a computer system and the respective snapshots are indicated for recovery, receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain. recovering respective non-infected snapshots in accordance with non infected content in the infected snapshot Warwick teaches the plurality of object are in a computer system and the respective snapshots are indicated for recovery, receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain. recovering respective non-infected snapshots in accordance with non infected content in the infected snapshot (Fig.4 &9, ¶0112-¶0113 , ¶0009, ¶0094-¶0096) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Patent No. US 12,386,959 B2 to include the teachings of Warwick. The motivation for doing so is to restore a computer system following an infection event. With regards to claims 3,13, 18 , Patent No. US 12,386,959 B2 does not explicitly teach mounting, in response to the selection, the infected snapshot; and determining, based at least in part on mounting the infected snapshot, which content in the infected snapshot is not infected. However, Borate teaches mounting, in response to the selection, the infected snapshot; and determining, based at least in part on mounting the infected snapshot, which content in the infected snapshot is not infected (Fig.4, ¶0045, ¶ 0058, ¶0060, ¶ 0074-¶ 0077). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Patent No. US 12,386,959 B2 to include the teachings of Borate. The motivation for doing so is to process data retrieval and restorations associated with malware affected files that improve the efficiency and cost of performing such restorations (Borate – ¶ 0016). With regards to claims 4,14,19, the Patent No. US 12,386,959 B2 teaches receiving a command to recover, for the respective computing objects, non-infected data (See Claims 1,11,20) However, Patent No. US 12,386,959 B2 does not explicitly teach receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains. Warwick teaches receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains (Fig.4 &9, ¶0112-¶0113 , ¶0009, ¶0094-¶0096) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Patent No. US 12,386,959 B2 to include the teachings of Warwick. The motivation for doing so is to restore a computer system following an infection event. With regards to claim 7, Patent No. US 12,386,959 B2 teaches refraining from mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain (See claim 3 -. mounting the snapshots is repeated until at least one non-infected snapshot in the respective snapshot chains is identified – Note: This means that the snapshots are refrained ( not repeated) after non infected snapshot is identified. With regards to claim 8, Patent No. US 12,386,959 B2 teaches mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain (See claim 4 - wherein mounting the snapshots is repeated past at least one non-infected snapshot in the respective snapshot chains being identified.– Note: This means that the snapshots are mounted after non infected snapshot is identified. With regards to Copending application 19/286,072 Claims 1-2,4-12,14 -17,19 -20 are provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-20 of the Copending application 19/286,072 in view of Warwick Claims 3,13,18 are provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-20 of the Copending application 19/286,072 in view of Borate Below are the analysis to the claims. Claims 1-20 of Instant application Claim 1-20 of Copending app 19/286,072 Claims 1,11,16 A method/apparatus/medium, comprising: Processor and memory storing instruction that ,when executed by the processor, cause the apparatus displaying a graphical user interface showing: at least a portion of respective snapshot chains for respective computing objects of a plurality of computing objects in a computing system, wherein the respective snapshot chains are represented as one or more individual snapshots, wherein a representation of an individual snapshot indicates whether the individual snapshot is infected with malware, and wherein the plurality of computing objects comprises at least two computing objects from among the following computing objects: a physical machine, a virtual machine, a file system, a database, or a network attached storage system, and a cut line extending across the respective snapshot chains, wherein respective snapshots in the respective snapshot chains that are positioned on a first side of the cut line are indicated for recovery by the cut line; receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain and is positioned on a second side of the cut line; and recovering, based at least in part on receiving the selection, for the respective computing objects, respective non-infected snapshots from the respective snapshot chains in accordance with the cut line and non-infected content in the infected snapshot. Claims 1,11,20 A method/apparatus/medium, comprising: Processor and memory storing instruction that ,when executed by the processor, cause the apparatus displaying a graphical user interface showing at least a portion of respective snapshot chains for respective computing objects of a plurality of computing objects, wherein the respective snapshot chains are represented as one or more individual snapshots, and wherein a representation of an individual snapshot indicates whether the individual snapshot is infected with malware, the plurality of computing objects comprising one or more virtual machines, one or more file systems, one or more databases, one or more network attached storage systems, or any combination thereof, and across the respective snapshot chains, a cut line delineating infected snapshots from non-infected snapshots, wherein snapshots above the cut line are restricted from being recovered, and wherein the cut line is based at least in part on respective most recent non-infected snapshots for the respective snapshot chains; receiving a command to recover, for the respective computing objects, non-infected data; and recovering, in response to the command, for the respective computing objects, a non-infected snapshot from the respective snapshot chains in accordance with the cut line. Claims 2,12,17 wherein the cut line delineates infected snapshots from non-infected snapshots, and wherein snapshots that are positioned on a second side of the cut line are restricted from being recovered.. Claims 1,11,20 a cut line delineating infected snapshots from non-infected snapshots, wherein snapshots above the cut line are restricted from being recovered are restricted from being recovered; Claims 4 ,14,19 receiving, based at least in part on the selection, a command to recover non- infected content for the respective computing objects. Claims 1,11,20 receiving a command to recover, for the respective computing objects, non-infected data Claims 5,15,20 identifying respective most recent snapshots in the respective snapshot chains that are not infected by malware, wherein the cut line is based at least in part on the respective most recent snapshots in each of the respective snapshot chains. Claims, 1,11,20 wherein the cut line is based at least in part on respective most recent non-infected snapshots for the respective snapshot chain Claim 6 wherein identifying the respective most recent snapshots comprises: mounting snapshots in the respective snapshot chains in reverse chronological order; and determining, for each of the mounted snapshots, whether the mounted snapshot is infected by malware Claims 2& 3 mounting snapshots in the respective snapshot chains; and determining whether the mounted snapshots are infected by malware, wherein the representation is based at least in part on the determining. wherein mounting the snapshots comprises: mounting the snapshots in the respective snapshot chains in reverse chronological order. Claim 7 refraining from mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain. Claim 4 wherein the mounting and the determining is repeated until at least one non-infected snapshot in the respective snapshot chains is identified.. Claim 8 mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain Claim 5 wherein the mounting and the determining is repeated past at least one non-infected snapshot in the respective snapshot chains being identified Claim 9 wherein determining whether the mounted snapshots are infected comprises: applying YARA rules and hash matching to the mounted snapshots. Claims 2, 6 determining whether the mounted snapshots are infected by malware,. wherein the determining comprises: applying YARA rules and hash matching to a mounted snapshot.. Claim 10 hydrating data in a mounted snapshot before determining whether the mounted snapshots are infected. Claims 2, 8 determining whether the mounted snapshots are infected by malware, wherein the representation is based at least in part on the determining.,. hydrating data in a mounted snapshot before the determining. With regards to claims 1,11,16, the Copending application 19/286,072 teaches the plurality of object and a cut line extending across the respective snapshot chains, wherein respective snapshots in the respective snapshot chains that are positioned on a first side of the cut line (See Claim 1 - across the respective snapshot chains, a cut line delineating infected snapshots from non-infected snapshots, wherein snapshots above the cut line). However, Patent Copending application 19/286,072 does not explicitly teach that the plurality of object are in a computer system and the respective snapshots are indicated for recovery, receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain. recovering respective non-infected snapshots in accordance with non infected content in the infected snapshot Warwick teaches the plurality of object are in a computer system and the respective snapshots are indicated for recovery, receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain. recovering respective non-infected snapshots in accordance with non infected content in the infected snapshot (Fig.4 &9, ¶0112-¶0113 , ¶0009, ¶0094-¶0096) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Copending application 19/286,072 to include the teachings of Warwick. The motivation for doing so is to restore a computer system following an infection event. With regards to claims 3,13, 18 , Copending application 19/286,072 does not explicitly teach mounting, in response to the selection, the infected snapshot; and determining, based at least in part on mounting the infected snapshot, which content in the infected snapshot is not infected. However, Borate teaches mounting, in response to the selection, the infected snapshot; and determining, based at least in part on mounting the infected snapshot, which content in the infected snapshot is not infected (Fig.4, ¶0045, ¶ 0058, ¶0060, ¶ 0074-¶ 0077). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Copending application 19/286,072 to include the teachings of Borate. The motivation for doing so is to process data retrieval and restorations associated with malware affected files that improve the efficiency and cost of performing such restorations (Borate – ¶ 0016). With regards to claims 4,14,19, the Copending application 19/286,072 teaches receiving a command to recover, for the respective computing objects, non-infected data (See Claims 1,11,20) However, Copending application 19/286,072 does not explicitly teach receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains. Warwick teaches receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains (Fig.4 &9, ¶0112-¶0113 , ¶0009, ¶0094-¶0096) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Copending application 19/286,072 to include the teachings of Warwick. The motivation for doing so is to restore a computer system following an infection event. With regards to claims 5,15,20, the Copending application 19/286,072 does not explicitly teach identifying respective most recent snapshots in the respective snapshot chains that are not infected by malware,. Warwick teaches identifying respective most recent snapshots in the respective snapshot chains that are not infected by malware (Fig.4 &9, ¶0112-¶0113 , ¶0009, ¶0094-¶0096) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Copending application 19/286,072 to include the teachings of Warwick. The motivation for doing so is to restore a computer system following an infection event. With regards to claim 6, the Copending application 19/286,072 does not explicitly teach identifying respective most recent snapshots in the respective snapshot chains Warwick teaches identifying respective most recent snapshots in the respective snapshot chains (Fig.4 &9, ¶0112-¶0113 , ¶0009, ¶0094-¶0096) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Copending application 19/286,072 to include the teachings of Warwick. The motivation for doing so is to restore a computer system following an infection event. With regards to claim 7, Copending application 19/286,072 teaches refraining from mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain (See claim 4 -. mounting the snapshots is repeated until at least one non-infected snapshot in the respective snapshot chains is identified – Note: This means that the snapshots are refrained ( not repeated) after non infected snapshot is identified. With regards to claim 8, Copending application 19/286,072 teaches mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain (See claim 5- wherein mounting the snapshots is repeated past at least one non-infected snapshot in the respective snapshot chains being identified.– Note: This means that the snapshots are mounted after non infected snapshot is identified. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1,2,4,5,11,12,14,15,16,17,19,20 are rejected under 35 U.S.C. 103 as being unpatentable over Warwick et al. Publication No. US 2022/0245250 A1 ( Warwick hereinafter) in view of Hoche et al. Publication No. US 2005/0091538 A1 ( Hoche hereinafter). Regarding claim 1, Warwick teaches a method (Abstract), comprising: displaying a graphical user interface (¶0019, Fig.4,Fig.9) showing: at least a portion of respective snapshot chains for respective computing objects of a plurality of computing objects in a computing system, wherein the respective snapshot chains are represented as one or more individual snapshots, wherein a representation of an individual snapshot indicates whether the individual snapshot is infected with malware, and wherein the plurality of computing objects comprises at least two computing objects from among the following computing objects: a physical machine, a virtual machine, a file system, a database, or a network attached storage system (Abstract - The computer system can have a plurality of machines, in which a plurality of back-up copies are associated with each one of the plurality of machines, and in which each of the plurality of back-up copies associated with a particular machine is a different version back-up - Fig.4, Fig.9 ¶0043, ¶0112, ¶0113 – protection map graphically illustrates the status of the respective backups for each machine of interest as a functions of time/date. Color coding maybe used to denote a backup that is known to be infected (for example red or flashing red for a confirmed infected backup, bright green for a confirmed clean backup, pale green for an assumed clean backup) Note: the protection map displays histories of plurality of snapshot chains mapped out for distinct computing objects -¶0020 -The elements associated with the plurality of machines may include an indication of a status for each of the plurality of back-up copies associated with the respective machines – Fig. 3, ¶0094 - determines whether any files have been identified that have an infection signature within a backup. If such files have been found then the method moves to a seventh step 314 in which the backup is marked as dirty (i.e. as infected with malware ), which may be marked by providing a flashing red light on a grid of back-up entries – ¶0002 - Public and private organizations of all shapes and sizes rely on the reliable and secure operation of their computer networks. It is not uncommon for a particular proprietor's network to contain thousands of machines, or virtual machines, spread across the globe. The interconnectivity of these machines allows collaboration but also increases the risk of infection by malware or ransomware, as the number of infection points increases – Note: the protection Map grid explicitly targets like databases (SQL) and virtual machines), and a cut [..] extending across the respective snapshot chains, wherein respective snapshots in the respective snapshot chains that are positioned on a first side of the cut line are indicated for recovery by the cut line (Fig.4 identifying clean backup vs. infected backup – ¶0009- The method may comprise identifying a pre-event clean-back-up copy created before the infection-datum time. The method may comprise identifying a post-event back-up copy created after the infection-datum-time. The method may comprise restoring one or more of the plurality of machines using the pre-event clean-back-up copy and the post-event back-up copy - ¶ 0112 -Turning to FIGS. 9 and 10, which show examples of the protection map 908, 1008, or grid, introduced previously with reference to FIG. 4, the protection map graphically illustrates the status of the respective backups for each machine of interest as a functions of time/date. Color coding may be used to denote a backup that is known to be infected (for example red or flashing red for a confirmed infected backup, bright green for a confirmed clean backup, pale green for an assumed clean backup – Note: the system uses an RID across recovery groups to divide backup to infected backups vs non infected backups ). ; receiving a selection of an infected snapshot in a snapshot chain of the respective snapshot chains, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain and is positioned on a second side of the cut [..] (Fig.3, ¶ 0094 -The method determines whether any files have been identified that have an infection signature within a backup. If such files have been found then the method moves to a seventh step 314 in which the backup is marked as dirty (i.e. as infected with malware ), which may be marked by providing a flashing red light on a grid of back-up entries. The method then proceeds to an eighth step 316, which is a decision step. The method checks to determine whether there exists any previous (i.e. earlier) backup. If such a backup does exist (which may, by virtue of having been created earlier, be infection free) then the method returns to the third step 306 to iterate through the step from the third step 306 onwards ¶ 0096 - user can drag and drop the machines shown as dirty onto the 'Recovery GFIS Clean to PQC' action. The method then proceeds to the twelfth step 324 in which a command is sent to the Client containing a list of machines dragged and dropped on to the ' Recover GFIS Clean to PCQ' action. The method then proceeds to a thirteenth step 326, which is a decision step. For a machine backed up by SP, the method proceeds to a fourteenth step 328, in which the SP VMs Client will send the command to SP for the VM to recover the relevant machines to a quarantine network that is isolated from the rest of the computer system ); and recovering, based at least in part on receiving the selection, for the respective computing objects, respective non-infected snapshots from the respective snapshot chains in accordance with the cut [..] and non-infected content in the infected snapshot (¶ 0098- Client sends a command back to the portal indicating if the recovery has been successful or has failed. The method then proceeds to a seventeenth step 334, which is a decision step. If the recovery has not been successful then the method proceeds to an eighteenth step 336 in which an error message on the portal is displayed to show that the recovery was unsuccessful. Alternatively, if the recovery has been successful, then the method proceeds to a nineteenth step 338 in which the Client receives the command and cuts off the connection to the main network and connects instead to the quarantine network ). Warwick teaches distinguishing between the non- infected backups from infected backups on a timeline using recovery point/RID time (Fig.9,Fig.4). However, Warwick does not explicitly teach that the distinction is made using a cut line Hoche teaches a cut line extending across non infection and infection (¶0044 - The diagram illustrates the infection process in a discrete time domain. Beginning at vertex 2 the virus is propagated via the edges [1,2], [1,6], and [1,7]; infecting the network nodes 3, 6, and 7 within the first wave 18. The next snapshot shows the infection of the network nodes 3,4,5,8, 9,13,14,15 via the corresponding edges [1,3] [1,4],[2,3],[2, 8],[2,9],[6,5], ... Note that a network node could even be infected twice, e.g. the network node 3. At each time a set of infections is processed which could be presented by a set of origin-target-pairs via an edge. Fig.5 shows a cut line extending across infection and disinfection). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify recovery point/RID that distinguish between infected snapshots and non infected snapshots taught by Warwick to include the cut line across infections and non infections taught by Hoche. The motivation for doing so is to allow the system to screen and disinfect a communication network for viral infection (Hoche – ¶0012). Regarding claim 2, Warwick further teaches wherein the cut [..] delineates infected snapshots from non-infected snapshots, and wherein snapshots that are positioned on a second side of the cut [..] are restricted from being recovered (Fig.3, ¶ 0094 -The method determines whether any files have been identified that have an infection signature within a backup. If such files have been found then the method moves to a seventh step 314 in which the backup is marked as dirty (i.e. as infected with malware ), which may be marked by providing a flashing red light on a grid of back-up entries. The method then proceeds to an eighth step 316, which is a decision step. The method checks to determine whether there exists any previous (i.e. earlier) backup. If such a backup does exist (which may, by virtue of having been created earlier, be infection free) then the method returns to the third step 306 to iterate through the step from the third step 306 onwards ¶0096 - user can drag and drop the machines shown as dirty onto the 'Recovery GFIS Clean to PQC' action. The method then proceeds to the twelfth step 324 in which a command is sent to the Client containing a list of machines dragged and dropped on to the ' Recover GFIS Clean to PCQ' action). Warwick teaches delineates infected snapshots from non-infected snapshots, on a timeline using recovery point/RID time (Fig.9,Fig.4). However, Warwick does not explicitly teach using the cut line Hoche teaches cut line delineates infection from non-infection (¶0044 - The diagram illustrates the infection process in a discrete time domain. Beginning at vertex 2 the virus is propagated via the edges [1,2], [1,6], and [1,7]; infecting the network nodes 3, 6, and 7 within the first wave 18. The next snapshot shows the infection of the network nodes 3,4,5,8, 9,13,14,15 via the corresponding edges [1,3] [1,4],[2,3],[2, 8],[2,9],[6,5], ... Note that a network node could even be infected twice, e.g. the network node 3. At each time a set of infections is processed which could be presented by a set of origin-target-pairs via an edge. Fig.5 shows a cut line extending across infection and disinfection). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify recovery point/RID that distinguish between infected snapshots and non infected snapshots taught by Warwick to include the cut line across infections and non infections taught by Hoche. The motivation for doing so is to allow the system to screen and disinfect a communication network for viral infection (Hoche – ¶0012). Regarding claim 4, Warwick further teaches receiving, based at least in part on the selection, a command to recover non- infected content for the respective computing objects( Fig.3, ¶ 0094 -The method determines whether any files have been identified that have an infection signature within a backup. If such files have been found then the method moves to a seventh step 314 in which the backup is marked as dirty (i.e. as infected with malware ), which may be marked by providing a flashing red light on a grid of back-up entries. The method then proceeds to an eighth step 316, which is a decision step. The method checks to determine whether there exists any previous (i.e. earlier) backup. If such a backup does exist (which may, by virtue of having been created earlier, be infection free) then the method returns to the third step 306 to iterate through the step from the third step 306 onwards ¶ 0096 - user can drag and drop the machines shown as dirty onto the 'Recovery GFIS Clean to PQC' action. The method then proceeds to the twelfth step 324 in which a command is sent to the Client containing a list of machines dragged and dropped on to the ' Recover GFIS Clean to PCQ' action. The method then proceeds to a thirteenth step 326, which is a decision step. For a machine backed up by SP, the method proceeds to a fourteenth step 328, in which the SP VMs Client will send the command to SP for the VM to recover the relevant machines to a quarantine network that is isolated from the rest of the computer system ). Regarding claim 5, Warwick further teaches identifying respective most recent snapshots in the respective snapshot chains that are not infected by malware, wherein the cut [..] is based at least in part on the respective most recent snapshots in each of the respective snapshot chains (¶0071 - using restore a, comparing files from that system with equivalent files from restore b; and v) if those files have a more recent date stamp and are flagged as clean, moving those files across from the image in restore b to the image in restore a. ¶0121 - Alternatively, as shown in FIG. 9, one of the nodes has failed its antivirus process for the most recent backup, resulting in the RID time 909 for that node being pushed back to the next most recent backup . ¶0104 - The activity portion 404 comprises a panic button 505 to initiate the recovery engine. The activity portion 404 also comprises a list 407 of recent events. The number of recent events displayed may be controlled and the events may be color-coded. The events may comprise a list of the actions taken by the software – See Also Fig.4 & 6). Warwick teaches that the recovery point /RID time is based on most recent snapshot (Fig.9,Fig.4, ¶0071, 0121). However, Warwick does not explicitly teach using the cut line Hoche teaches Cut line (¶0044 - The diagram illustrates the infection process in a discrete time domain. Beginning at vertex 2 the virus is propagated via the edges [1,2], [1,6], and [1,7]; infecting the network nodes 3, 6, and 7 within the first wave 18. The next snapshot shows the infection of the network nodes 3,4,5,8, 9,13,14,15 via the corresponding edges [1,3] [1,4],[2,3],[2, 8],[2,9],[6,5], ... Note that a network node could even be infected twice, e.g. the network node 3. At each time a set of infections is processed which could be presented by a set of origin-target-pairs via an edge. Fig.5 shows a cut line extending across infection and disinfection). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify recovery point/RID that distinguish between infected snapshots and non infected snapshots taught by Warwick to include the cut line across infections and non infections taught by Hoche. The motivation for doing so is to allow the system to screen and disinfect a communication network for viral infection (Hoche – ¶0012). Regarding claim 11, Warwick teaches an apparatus (Abstract), comprising: processor; and a memory storing instructions that, when executed by the processor, cause the apparatus to: display a graphical user interface (¶0019, Fig.4,Fig.9) showing: at least a portion of respective snapshot chains for respective computing objects of a plurality of computing objects in a computing system, wherein the respective snapshot chains are represented as one or more individual snapshots, wherein a representation of an individual snapshot indicates whether the individual snapshot is infected with malware, and wherein the plurality of computing objects comprises at least two computing objects from among the following computing objects: a physical machine, a virtual machine, a file system, a database, or a network attached storage system (Abstract - The computer system can have a plurality of machines, in which a plurality of back-up copies are associated with each one of the plurality of machines, and in which each of the plurality of back-up copies associated with a particular machine is a different version back-up - Fig.4, Fig.9 ¶0043, ¶0112, ¶0113 – protection map graphically illustrates the status of the respective backups for each machine of interest as a functions of time/date. Color coding maybe used to denote a backup that is known to be infected (for example red or flashing red for a confirmed infected backup, bright green for a confirmed clean backup, pale green for an assumed clean backup) Note: the protection map displays histories of plurality of snapshot chains mapped out for distinct computing objects -¶0020 -The elements associated with the plurality of machines may include an indication of a status for each of the plurality of back-up copies associated with the respective machines – Fig. 3, ¶0094 - determines whether any files have been identified that have an infection signature within a backup. If such files have been found then the method moves to a seventh step 314 in which the backup is marked as dirty (i.e. as infected with malware ), which may be marked by providing a flashing red light on a grid of back-up entries – ¶0002 - Public and private organizations of all shapes and sizes rely on the reliable and secure operation of their computer networks. It is not uncommon for a particular proprietor's network to contain thousands of machines, or virtual machines, spread across the globe. The interconnectivity of these machines allows collaboration but also increases the risk of infection by malware or ransomware, as the number of infection points increases – Note: the protection Map grid explicitly targets like databases (SQL) and virtual machines), and a cut [..] extending across the respective snapshot chains, wherein respective snapshots in the respective snapshot chains that are positioned on a first side of the cut line are indicated for recovery by the cut line (Fig.4 identifying clean backup vs. infected backup – ¶0009- The method may comprise identifying a pre-event clean-back-up copy created before the infection-datum time. The method may comprise identifying a post-event back-up copy created after the infection-datum-time. The method may comprise restoring one or more of the plurality of machines using the pre-event clean-back-up copy and the post-event back-up copy - ¶ 0112 -Turning to FIGS. 9 and 10, which show examples of the protection map 908, 1008, or grid, introduced previously with reference to FIG. 4, the protection map graphically illustrates the status of the respective backups for each machine of interest as a functions of time/date. Color coding may be used to denote a backup that is known to be infected (for example red or flashing red for a confirmed infected backup, bright green for a confirmed clean backup, pale green for an assumed clean backup – Note: the system uses an RID across recovery groups to divide backup to infected backups vs non infected backups ). ; receive a selection of an infected snapshot in a snapshot chain of the respective snapshot chains, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain and is positioned on a second side of the cut [..] (Fig.3, ¶ 0094 -The method determines whether any files have been identified that have an infection signature within a backup. If such files have been found then the method moves to a seventh step 314 in which the backup is marked as dirty (i.e. as infected with malware ), which may be marked by providing a flashing red light on a grid of back-up entries. The method then proceeds to an eighth step 316, which is a decision step. The method checks to determine whether there exists any previous (i.e. earlier) backup. If such a backup does exist (which may, by virtue of having been created earlier, be infection free) then the method returns to the third step 306 to iterate through the step from the third step 306 onwards ¶ 0096 - user can drag and drop the machines shown as dirty onto the 'Recovery GFIS Clean to PQC' action. The method then proceeds to the twelfth step 324 in which a command is sent to the Client containing a list of machines dragged and dropped on to the ' Recover GFIS Clean to PCQ' action. The method then proceeds to a thirteenth step 326, which is a decision step. For a machine backed up by SP, the method proceeds to a fourteenth step 328, in which the SP VMs Client will send the command to SP for the VM to recover the relevant machines to a quarantine network that is isolated from the rest of the computer system ) ; and recover, based at least in part on receiving the selection, for the respective computing objects, respective non-infected snapshots from the respective snapshot chains in accordance with the cut [..] and non-infected content in the infected snapshot (¶ 0098- Client sends a command back to the portal indicating if the recovery has been successful or has failed. The method then proceeds to a seventeenth step 334, which is a decision step. If the recovery has not been successful then the method proceeds to an eighteenth step 336 in which an error message on the portal is displayed to show that the recovery was unsuccessful. Alternatively, if the recovery has been successful, then the method proceeds to a nineteenth step 338 in which the Client receives the command and cuts off the connection to the main network and connects instead to the quarantine network )- Warwick teaches distinguishing between the non- infected backups from infected backups on a timeline using recovery point/RID time (Fig.9,Fig.4). However, Warwick does not explicitly teach the distinction is made using a cut line Hoche teaches a cut line extending across non infection and infection (¶0044 - The diagram illustrates the infection process in a discrete time domain. Beginning at vertex 2 the virus is propagated via the edges [1,2], [1,6], and [1,7]; infecting the network nodes 3, 6, and 7 within the first wave 18. The next snapshot shows the infection of the network nodes 3,4,5,8, 9,13,14,15 via the corresponding edges [1,3] [1,4],[2,3],[2, 8],[2,9],[6,5], ... Note that a network node could even be infected twice, e.g. the network node 3. At each time a set of infections is processed which could be presented by a set of origin-target-pairs via an edge. Fig.5 shows a cut line extending across infection and disinfection). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify recovery point/RID that distinguish between infected snapshots and non infected snapshots taught by Warwick to include the cut line across infections and non infections taught by Hoche. The motivation for doing so is to allow the system to screen and disinfect a communication network for viral infection (Hoche – ¶0012). Regarding claim 12, Warwick further teaches wherein the cut [..] delineates infected snapshots from non-infected snapshots, and wherein snapshots that are positioned on a second side of the cut [..] are restricted from being recovered ((Fig.3, ¶ 0094 -The method determines whether any files have been identified that have an infection signature within a backup. If such files have been found then the method moves to a seventh step 314 in which the backup is marked as dirty (i.e. as infected with malware ), which may be marked by providing a flashing red light on a grid of back-up entries. The method then proceeds to an eighth step 316, which is a decision step. The method checks to determine whether there exists any previous (i.e. earlier) backup. If such a backup does exist (which may, by virtue of having been created earlier, be infection free) then the method returns to the third step 306 to iterate through the step from the third step 306 onwards ¶0096 - user can drag and drop the machines shown as dirty onto the 'Recovery GFIS Clean to PQC' action. The method then proceeds to the twelfth step 324 in which a command is sent to the Client containing a list of machines dragged and dropped on to the ' Recover GFIS Clean to PCQ' action). Warwick teaches delineates infected snapshots from non-infected snapshots, on a timeline using recovery point/RID time (Fig.9,Fig.4). However, Warwick does not explicitly teach using a cut line Hoche teaches cut line delineates infection from non-infection (¶0044 - The diagram illustrates the infection process in a discrete time domain. Beginning at vertex 2 the virus is propagated via the edges [1,2], [1,6], and [1,7]; infecting the network nodes 3, 6, and 7 within the first wave 18. The next snapshot shows the infection of the network nodes 3,4,5,8, 9,13,14,15 via the corresponding edges [1,3] [1,4],[2,3],[2, 8],[2,9],[6,5], ... Note that a network node could even be infected twice, e.g. the network node 3. At each time a set of infections is processed which could be presented by a set of origin-target-pairs via an edge. Fig.5 shows a cut line extending across infection and disinfection). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify recovery point/RID that distinguish between infected snapshots and non infected snapshots taught by Warwick to include the cut line across infections and non infections taught by Hoche. The motivation for doing so is to allow the system to screen and disinfect a communication network for viral infection (Hoche – ¶0012). Regarding claim 14, Warwick further teaches receive, based at least in part on the selection, a command to recover non- infected content for the respective computing objects Fig.3, ¶ 0094 -The method determines whether any files have been identified that have an infection signature within a backup. If such files have been found then the method moves to a seventh step 314 in which the backup is marked as dirty (i.e. as infected with malware ), which may be marked by providing a flashing red light on a grid of back-up entries. The method then proceeds to an eighth step 316, which is a decision step. The method checks to determine whether there exists any previous (i.e. earlier) backup. If such a backup does exist (which may, by virtue of having been created earlier, be infection free) then the method returns to the third step 306 to iterate through the step from the third step 306 onwards ¶ 0096 - user can drag and drop the machines shown as dirty onto the 'Recovery GFIS Clean to PQC' action. The method then proceeds to the twelfth step 324 in which a command is sent to the Client containing a list of machines dragged and dropped on to the ' Recover GFIS Clean to PCQ' action. The method then proceeds to a thirteenth step 326, which is a decision step. For a machine backed up by SP, the method proceeds to a fourteenth step 328, in which the SP VMs Client will send the command to SP for the VM to recover the relevant machines to a quarantine network that is isolated from the rest of the computer system ). Regarding claim 15, Warwick further teaches identify respective most recent snapshots in the respective snapshot chains that are not infected by malware, wherein the cut [..] is based at least in part on the respective most recent snapshots in each of the respective snapshot chains (¶0071 - using restore a, comparing files from that system with equivalent files from restore b; and v) if those files have a more recent date stamp and are flagged as clean, moving those files across from the image in restore b to the image in restore a. ¶0121 - Alternatively, as shown in FIG. 9, one of the nodes has failed its antivirus process for the most recent backup, resulting in the RID time 909 for that node being pushed back to the next most recent backup . ¶0104 - The activity portion 404 comprises a panic button 505 to initiate the recovery engine. The activity portion 404 also comprises a list 407 of recent events. The number of recent events displayed may be controlled and the events may be color-coded. The events may comprise a list of the actions taken by the software – See Also Fig.4 & 6). Warwick teaches that the Recovery point/RID time based at least in part on the respective most recent snapshots (Fig.9,Fig.4, ¶0071, ¶0121). However, Warwick does not explicitly teach using the cut line Hoche teaches Cut line (¶0044 - The diagram illustrates the infection process in a discrete time domain. Beginning at vertex 2 the virus is propagated via the edges [1,2], [1,6], and [1,7]; infecting the network nodes 3, 6, and 7 within the first wave 18. The next snapshot shows the infection of the network nodes 3,4,5,8, 9,13,14,15 via the corresponding edges [1,3] [1,4],[2,3],[2, 8],[2,9],[6,5], ... Note that a network node could even be infected twice, e.g. the network node 3. At each time a set of infections is processed which could be presented by a set of origin-target-pairs via an edge. Fig.5 shows a cut line extending across infection and disinfection ). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify recovery point/RID that distinguish between infected snapshots and non infected snapshots taught by Warwick to include the cut line across infections and non infections taught by Hoche. The motivation for doing so is to allow the system to screen and disinfect a communication network for viral infection (Hoche – ¶0012). Regarding claim 16, Warwick teaches a non-transitory, computer-readable medium storing code comprising instructions executable by a processor of a device to cause the device to (Abstract): display a graphical user interface (¶0019, Fig.4,Fig.9) showing: at least a portion of respective snapshot chains for respective computing objects of a plurality of computing objects in a computing system, wherein the respective snapshot chains are represented as one or more individual snapshots, wherein a representation of an individual snapshot indicates whether the individual snapshot is infected with malware, and wherein the plurality of computing objects comprises at least two computing objects from among the following computing objects: a physical machine, a virtual machine, a file system, a database, or a network attached storage system (Abstract - The computer system can have a plurality of machines, in which a plurality of back-up copies are associated with each one of the plurality of machines, and in which each of the plurality of back-up copies associated with a particular machine is a different version back-up - Fig.4, Fig.9 ¶0043, ¶0112, ¶0113 – protection map graphically illustrates the status of the respective backups for each machine of interest as a functions of time/date. Color coding maybe used to denote a backup that is known to be infected (for example red or flashing red for a confirmed infected backup, bright green for a confirmed clean backup, pale green for an assumed clean backup) Note: the protection map displays histories of plurality of snapshot chains mapped out for distinct computing objects -¶0020 -The elements associated with the plurality of machines may include an indication of a status for each of the plurality of back-up copies associated with the respective machines – Fig. 3, ¶0094 - determines whether any files have been identified that have an infection signature within a backup. If such files have been found then the method moves to a seventh step 314 in which the backup is marked as dirty (i.e. as infected with malware ), which may be marked by providing a flashing red light on a grid of back-up entries – ¶0002 - Public and private organizations of all shapes and sizes rely on the reliable and secure operation of their computer networks. It is not uncommon for a particular proprietor's network to contain thousands of machines, or virtual machines, spread across the globe. The interconnectivity of these machines allows collaboration but also increases the risk of infection by malware or ransomware, as the number of infection points increases – Note: the protection Map grid explicitly targets like databases (SQL) and virtual machines), and a cut [..] extending across the respective snapshot chains, wherein respective snapshots in the respective snapshot chains that are positioned on a first side of the cut line are indicated for recovery by the cut line (Fig.4 identifying clean backup vs. infected backup – ¶0009- The method may comprise identifying a pre-event clean-back-up copy created before the infection-datum time. The method may comprise identifying a post-event back-up copy created after the infection-datum-time. The method may comprise restoring one or more of the plurality of machines using the pre-event clean-back-up copy and the post-event back-up copy - ¶ 0112 -Turning to FIGS. 9 and 10, which show examples of the protection map 908, 1008, or grid, introduced previously with reference to FIG. 4, the protection map graphically illustrates the status of the respective backups for each machine of interest as a functions of time/date. Color coding may be used to denote a backup that is known to be infected (for example red or flashing red for a confirmed infected backup, bright green for a confirmed clean backup, pale green for an assumed clean backup – Note: the system uses an RID across recovery groups to divide backup to infected backups vs non infected backups ). ; receive a selection of an infected snapshot in a snapshot chain of the respective snapshot chains, wherein the infected snapshot is more recent than a most recent non-infected snapshot identified in the snapshot chain and is positioned on a second side of the cut [..] (Fig.3, ¶ 0094 -The method determines whether any files have been identified that have an infection signature within a backup. If such files have been found then the method moves to a seventh step 314 in which the backup is marked as dirty (i.e. as infected with malware ), which may be marked by providing a flashing red light on a grid of back-up entries. The method then proceeds to an eighth step 316, which is a decision step. The method checks to determine whether there exists any previous (i.e. earlier) backup. If such a backup does exist (which may, by virtue of having been created earlier, be infection free) then the method returns to the third step 306 to iterate through the step from the third step 306 onwards ¶ 0096 - user can drag and drop the machines shown as dirty onto the 'Recovery GFIS Clean to PQC' action. The method then proceeds to the twelfth step 324 in which a command is sent to the Client containing a list of machines dragged and dropped on to the ' Recover GFIS Clean to PCQ' action. The method then proceeds to a thirteenth step 326, which is a decision step. For a machine backed up by SP, the method proceeds to a fourteenth step 328, in which the SP VMs Client will send the command to SP for the VM to recover the relevant machines to a quarantine network that is isolated from the rest of the computer system ) ; and recover, based at least in part on receiving the selection, for the respective computing objects, respective non-infected snapshots from the respective snapshot chains in accordance with the cut [..] and non-infected content in the infected snapshot (¶ 0098- Client sends a command back to the portal indicating if the recovery has been successful or has failed. The method then proceeds to a seventeenth step 334, which is a decision step. If the recovery has not been successful then the method proceeds to an eighteenth step 336 in which an error message on the portal is displayed to show that the recovery was unsuccessful. Alternatively, if the recovery has been successful, then the method proceeds to a nineteenth step 338 in which the Client receives the command and cuts off the connection to the main network and connects instead to the quarantine network )- Warwick teaches distinguishing between the non- infected backups from infected backups on a timeline using recovery point/RID time (Fig.9,Fig.4). However, Warwick does not explicitly teach the distinction is made using a cut line Hoche teaches a cut line extending across non infection and infection (¶0044 - The diagram illustrates the infection process in a discrete time domain. Beginning at vertex 2 the virus is propagated via the edges [1,2], [1,6], and [1,7]; infecting the network nodes 3, 6, and 7 within the first wave 18. The next snapshot shows the infection of the network nodes 3,4,5,8, 9,13,14,15 via the corresponding edges [1,3] [1,4],[2,3],[2, 8],[2,9],[6,5], ... Note that a network node could even be infected twice, e.g. the network node 3. At each time a set of infections is processed which could be presented by a set of origin-target-pairs via an edge. Fig.5 shows a cut line extending across infection and disinfection). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify recovery point/RID that distinguish between infected snapshots and non infected snapshots taught by Warwick to include the cut line across infections and non infections taught by Hoche. The motivation for doing so is to allow the system to screen and disinfect a communication network for viral infection (Hoche – ¶0012). Regarding claim 17, Warwick further teaches wherein the cut [..] delineates infected snapshots from non-infected snapshots, and wherein snapshots that are positioned on a second side of the cut [..] are restricted from being recovered ((Fig.3, ¶ 0094 -The method determines whether any files have been identified that have an infection signature within a backup. If such files have been found then the method moves to a seventh step 314 in which the backup is marked as dirty (i.e. as infected with malware ), which may be marked by providing a flashing red light on a grid of back-up entries. The method then proceeds to an eighth step 316, which is a decision step. The method checks to determine whether there exists any previous (i.e. earlier) backup. If such a backup does exist (which may, by virtue of having been created earlier, be infection free) then the method returns to the third step 306 to iterate through the step from the third step 306 onwards ¶0096 - user can drag and drop the machines shown as dirty onto the 'Recovery GFIS Clean to PQC' action. The method then proceeds to the twelfth step 324 in which a command is sent to the Client containing a list of machines dragged and dropped on to the ' Recover GFIS Clean to PCQ' action). Warwick teaches delineates infected snapshots from non-infected snapshots, on a timeline using recovery point/RID time (Fig.9,Fig.4). However, Warwick does not explicitly teach using a cut line Hoche teaches cut line delineates infection from non-infection (¶0044 - The diagram illustrates the infection process in a discrete time domain. Beginning at vertex 2 the virus is propagated via the edges [1,2], [1,6], and [1,7]; infecting the network nodes 3, 6, and 7 within the first wave 18. The next snapshot shows the infection of the network nodes 3,4,5,8, 9,13,14,15 via the corresponding edges [1,3] [1,4],[2,3],[2, 8],[2,9],[6,5], ... Note that a network node could even be infected twice, e.g. the network node 3. At each time a set of infections is processed which could be presented by a set of origin-target-pairs via an edge. Fig.5 shows a cut line extending across infection and disinfection). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify recovery point/RID that distinguish between infected snapshots and non infected snapshots taught by Warwick to include the cut line across infections and non infections taught by Hoche. The motivation for doing so is to allow the system to screen and disinfect a communication network for viral infection (Hoche – ¶0012). Regarding claim 19, Warwick further teaches receive, based at least in part on the selection, a command to recover non- infected content for the respective computing objects Fig.3, ¶ 0094 -The method determines whether any files have been identified that have an infection signature within a backup. If such files have been found then the method moves to a seventh step 314 in which the backup is marked as dirty (i.e. as infected with malware ), which may be marked by providing a flashing red light on a grid of back-up entries. The method then proceeds to an eighth step 316, which is a decision step. The method checks to determine whether there exists any previous (i.e. earlier) backup. If such a backup does exist (which may, by virtue of having been created earlier, be infection free) then the method returns to the third step 306 to iterate through the step from the third step 306 onwards ¶ 0096 - user can drag and drop the machines shown as dirty onto the 'Recovery GFIS Clean to PQC' action. The method then proceeds to the twelfth step 324 in which a command is sent to the Client containing a list of machines dragged and dropped on to the ' Recover GFIS Clean to PCQ' action. The method then proceeds to a thirteenth step 326, which is a decision step. For a machine backed up by SP, the method proceeds to a fourteenth step 328, in which the SP VMs Client will send the command to SP for the VM to recover the relevant machines to a quarantine network that is isolated from the rest of the computer system ). Regarding claim 20, Warwick further teaches Identify respective most recent snapshots in the respective snapshot chains that are not infected by malware, wherein the cut [..] is based at least in part on the respective most recent snapshots in each of the respective snapshot chains (¶0071 - using restore a, comparing files from that system with equivalent files from restore b; and v) if those files have a more recent date stamp and are flagged as clean, moving those files across from the image in restore b to the image in restore a. ¶0121 - Alternatively, as shown in FIG. 9, one of the nodes has failed its antivirus process for the most recent backup, resulting in the RID time 909 for that node being pushed back to the next most recent backup . ¶0104 - The activity portion 404 comprises a panic button 505 to initiate the recovery engine. The activity portion 404 also comprises a list 407 of recent events. The number of recent events displayed may be controlled and the events may be color-coded. The events may comprise a list of the actions taken by the software – See Also Fig.4 & 6). Warwick teaches recovery point/RID time is based at least in part on respective most recent snapshot (Fig.9,Fig.4, ¶ 0071, ¶ 0121). However, Warwick does not explicitly teach using the cut line Hoche teaches Cut line (¶0044 - The diagram illustrates the infection process in a discrete time domain. Beginning at vertex 2 the virus is propagated via the edges [1,2], [1,6], and [1,7]; infecting the network nodes 3, 6, and 7 within the first wave 18. The next snapshot shows the infection of the network nodes 3,4,5,8, 9,13,14,15 via the corresponding edges [1,3] [1,4],[2,3],[2, 8],[2,9],[6,5], ... Note that a network node could even be infected twice, e.g. the network node 3. At each time a set of infections is processed which could be presented by a set of origin-target-pairs via an edge. Fig.5 shows a cut line extending across infection and disinfection). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify recovery point/RID that distinguish between infected snapshots and non infected snapshots taught by Warwick to include the cut line across infections and non infections taught by Hoche. The motivation for doing so is to allow the system to screen and disinfect a communication network for viral infection (Hoche – ¶0012). Claims 3,13,18 are rejected under 35 U.S.C. 103 as being unpatentable over Warwick in view of Hoche further in view of Borate et al. Publication No. US 2022/0100378 A1 ( Borate hereinafter) Regarding claim 3, Warwick does not explicitly teach mounting, in response to the selection, the infected snapshot; and determining, based at least in part on mounting the infected snapshot, which content in the infected snapshot is not infected. Borate teaches mounting, in response to the selection, the infected snapshot; and determining, based at least in part on mounting the infected snapshot, which content in the infected snapshot is not infected (¶0045 - the restoration engine 260 may wait until the user provides instructions to check one or more previous backup snapshots to identify a clean version of the file; the restoration engine 260 may check the first backup snapshot and one or more previous backup snapshots to identify a clean version of each file captured in the first backup snapshot. The identification of clean versions of the files is described in further detail with FIGS. 3 and 5A-C - See Also Fig.6, ¶0074 - ¶ 0077 - Fig.6 shows identifying a snapshot in a snapshot chain that is not infected by malware (Snapshot July -1, All files are clean, and all these snapshots are mounted in order to determine if the files inside the snapshots are infected - Note: the term mounting can defined as making the snapshot accessible on a mount point in order to be used for restoration ); It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Warwick to include the teachings of Borate. The motivation for doing so is to allow the system to recover one or more files after a malware attack. (Borate – ¶0002). Regarding claim 13, Warwick does not explicitly teach mount, in response to the selection, the infected snapshot; and determine, based at least in part on mounting the infected snapshot, which content in the infected snapshot is not infected. Borate teaches mount, in response to the selection, the infected snapshot; and determine, based at least in part on mounting the infected snapshot, which content in the infected snapshot is not infected (¶0045 - the restoration engine 260 may wait until the user provides instructions to check one or more previous backup snapshots to identify a clean version of the file; the restoration engine 260 may check the first backup snapshot and one or more previous backup snapshots to identify a clean version of each file captured in the first backup snapshot. The identification of clean versions of the files is described in further detail with FIGS. 3 and 5A-C - See Also Fig.6, ¶0074 - ¶ 0077 - Fig.6 shows identifying a snapshot in a snapshot chain that is not infected by malware (Snapshot July -1, All files are clean, and all these snapshots are mounted in order to determine if the files inside the snapshots are infected - Note: the term mounting can defined as making the snapshot accessible on a mount point in order to be used for restoration ); It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Warwick to include the teachings of Borate. The motivation for doing so is to allow the system to recover one or more files after a malware attack. (Borate – ¶0002). Regarding claim 18, Warwick does not explicitly teach mount, in response to the selection, the infected snapshot; and determine, based at least in part on mounting the infected snapshot, which content in the infected snapshot is not infected. However, Borate teaches mount, in response to the selection, the infected snapshot; and determine, based at least in part on mounting the infected snapshot, which content in the infected snapshot is not infected (¶0045 - the restoration engine 260 may wait until the user provides instructions to check one or more previous backup snapshots to identify a clean version of the file; the restoration engine 260 may check the first backup snapshot and one or more previous backup snapshots to identify a clean version of each file captured in the first backup snapshot. The identification of clean versions of the files is described in further detail with FIGS. 3 and 5A-C - See Also Fig.6, ¶0074 - ¶ 0077 - Fig.6 shows identifying a snapshot in a snapshot chain that is not infected by malware (Snapshot July -1, All files are clean, and all these snapshots are mounted in order to determine if the files inside the snapshots are infected - Note: the term mounting can defined as making the snapshot accessible on a mount point in order to be used for restoration ); It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Warwick to include the teachings of Borate. The motivation for doing so is to allow the system to recover one or more files after a malware attack. (Borate – ¶0002). Claims 6,8 are rejected under 35 U.S.C. 103 as being unpatentable over Warwick in view of Hoche further in view of Borate further in view of Westenberg et al. Patent No. US 8,495,037 B1 (Westenberg hereinafter) Regarding claim 6, Warwick further teaches wherein identifying the respective most recent snapshots (¶0071, ¶0121). However, Warwick does not explicitly teach mounting snapshots in the respective snapshot chains in reverse chronological order; and determining, for each of the mounted snapshots, whether the mounted snapshot is infected by malware. Borate teaches mounting snapshots in the respective snapshot chains[..]; and determining, for each of the mounted snapshots, whether the mounted snapshot is infected by malware (¶0045 - the restoration engine 260 may wait until the user provides instructions to check one or more previous backup snapshots to identify a clean version of the file; the restoration engine 260 may check the first backup snapshot and one or more previous backup snapshots to identify a clean version of each file captured in the first backup snapshot. The identification of clean versions of the files is described in further detail with FIGS. 3 and 5A-C - See Also Fig.6, ¶0074 - ¶ 0077 - Fig.6 shows identifying a snapshot in a snapshot chain that is not infected by malware (Snapshot July -1, All files are clean, and all these snapshots are mounted in order to determine if the files inside the snapshots are infected - Note: the term mounting can defined as making the snapshot accessible on a mount point in order to be used for restoration ); It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Warwick to include the teachings of Borate. The motivation for doing so is to allow the system to recover one or more files after a malware attack. (Borate – ¶ 002). Warwick in view of Borate does not explicitly teach mounting snapshots in the respective snapshot chains in reverse chronological order Westenberg teaches mounting snapshots in the respective snapshot chains in reverse chronological order (Col.7, lines 20-40 - the operations of the backup manager 120 in response to the indication of an infection may vary in some respects from those illustrated in FIG. 2, or may be performed in a different order than the order shown. In one embodiment where the analysis is performed in 25 reverse chronological order, for example, as soon as a particular backup version 130 is found to differ from an infected data object (or from an infected backup version), further analysis of earlier versions may be abandoned. For example, in a scenario where three backup versions 130X, 130Y and 30 130Z of a data object 110 that has been found to be infected were created at respective times T, (T+a), and (T+a+b), the backup manager 120 may be configured to analyze 130Z before 130Y, and 130Y before 130X. If the analysis of backup version 130Z indicates that backup version 130Z differs from 35 an infected version, analysis of backup versions 130Y and 13 OX (which were created earlier) may not be required, based on an inference by the backup manager 120 that versions 130Y and 130X must also differ from the infected version). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Warwick in view of Borate to include the teachings of Westenberg. The motivation for doing so is to allow the system to efficiently identify those specific backup versions that, if used for restore operations, may result in malicious-software infections being reintroduced into the live data set 105, and thus prevent such potentially damaging restore operations (Westenberg - Col.5, lines 47- 55). Regarding claim 8, Warwick does not explicitly teach mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain. However, Borate teaches mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain (Fig.6, ¶0071-¶0077 shows that the mounting and determination repeated past a non infected snapshot (snapshot July 1 - See Also ¶0065). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Warwick to include the teachings of Borate. The motivation for doing so is to allow the system to recover one or more files after a malware attack. (Borate – ¶ 0002). Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Warwick in view of Hoche further in view of Borate further in view of Westenberg further in view of Kulaga et al. Publication No.US 2020/0319979 A1 ( Kulaga hereinafter) Regarding claim 7, Warwick does not explicitly teach refraining from mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain. However, Kulaga teaches refraining from mounting additional snapshots in a respective snapshot chain of the respective snapshot chains after a non-infected snapshot is identified in the respective snapshot chain (¶ 0035 - In other exemplary aspects, the BR agent 120 may also mount any backup or slice from a backup as a virtual volume to perform additional anti-virus scanning. The mounted backup may also be used to search for safe versions of data. This can prove particularly useful allowing an administrator of the system 100 to treat the backup or slice as an ordinary disk or volume) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Warwick to include the teachings of Kulaga. The motivation for doing SO is to allow the system to restore a clean backup that is safe from malware after a malware attack (Kulaga- ¶0002). Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Warwick in view of Hoche further in view of Borate further in view of Westenberg further in view of Kulaga further in view of Jung et al. Publication No. US 2020/0201998 A1 (Jung hereinafter). Regarding claim 9, Warwick does not explicitly teach wherein determining whether the mounted snapshots are infected comprises: applying YARA rules and hash matching to the mounted snapshots. However, Borate teaches wherein determining whether the mounted snapshots are infected (¶0045 - the restoration engine 260 may wait until the user provides instructions to check one or more previous backup snapshots to identify a clean version of the file; the restoration engine 260 may check the first backup snapshot and one or more previous backup snapshots to identify a clean version of each file captured in the first backup snapshot. The identification of clean versions of the files is described in further detail with FIGS. 3 and 5A-C - See Also Fig.6, ¶0074 - ¶ 0077 - Fig.6 shows identifying a snapshot in a snapshot chain that is not infected by malware (Snapshot July -1, All files are clean, and all these snapshots are mounted in order to determine if the files inside the snapshots are infected - Note: the term mounting can defined as making the snapshot accessible on a mount point in order to be used for restoration ); It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Warwick to include the teachings of Borate. The motivation for doing so is to allow the system to recover one or more files after a malware attack. (Borate – ¶ 0002). Warwick in view of Borate does not explicitly teach applying YARA rules and hash matching to the mounted snapshots. However, Kulaga teaches applying hash matching to a mounted snapshot (¶0049 - At 314, the BR agent 120 compares the list of dangerous objects with the one or more snapshots to determine when the malware attack occurred. In some aspects, the snapshot module 122 may track modifications to files in the list of files by comparing hash sums in the one or more snapshots over time to see if the hash sum has changed, indicating possible malware modification.). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Warwick to include the teachings of Kulaga. The motivation for doing SO is to allow the system to restore a clean backup that is safe from malware after a malware attack. (Kulaga- ¶ 0002). Jung teaches applying YARA rules to the mounted snapshots ( ¶0092, ¶ 0121 - identifying malware families using YARA rules or similar techniques - ¶ 0129 – ¶ 0130 -. search process memory for the list of memory locations (e.g., system API function pointers) is performed. For example, each of these memory locations (e.g., system API function pointers) can be flattened into rules (e.g., YARA rule (604)) that can then be used to efficiently search all process memory. In this example implementation, instead of searching one pointer at a time which is inefficient and time consuming, all memory is searched using the concurrent search (350) to reduce the search complexity by an order of magnitude to facilitate a significantly more efficient and computationally less expensive operation (e.g., as discussed above, a scan of the 10,000 to 20,000 WINAPI pointers can be performed in less than one second) periodically searching memory is performed after predetermined execution events to detect any memory pointers in the memory. For example, another snapshot can be performed and memory can be searched whenever certain execution events occur (e.g., system call/ API events, unpacked code is executed (in which unpack checks can be performed whenever a system call is detected, such that there can be 2-N snapshots performed), or when the process terminates, as well as at the start of the process as described above), and the flattened search rule can be used to detect any memory pointers ( e.g., including system API function pointers) in the memory (e.g., which can then be cached/stored in the pointer cache (336)). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Warwick in view of Kulaga to include the teachings of Jung. The motivation for doing so is to allow the system to search the snapshots using the concurrent search to reduce the search complexity by an order of magnitude to facilitate a significantly more efficient and computationally less expensive operation (Jung – ¶ 0129). Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Warwick in view of Hoche further in view of Borate further in view of Westenberg further in view of Gaurav et al. Publication No. US 2020/0226256 A1 ( Gaurav hereinafter) Regarding claim 10, Warwick does not explicitly teach hydrating data in a mounted snapshot before determining whether the mounted snapshots are infected. However, Gaurav teaches hydrating data in a mounted snapshot before determining whether the mounted snapshots are infected (¶ 0029 - Regardless if the view of the file system data corresponds to a full backup snapshot or an incremental backup snapshot, the view of the file system data corresponding to the backup snapshot provides a fully hydrated backup snapshot that provides a complete view of the primary system at a moment in time corresponding to when the backup snapshot was performed. The view of file system data may allow any file that was stored on the primary system at the time. The view of file system data may allow any file that was stored on the primary system at the time the corresponding backup snapshot was performed, to be retrieved, restored, or replicated ¶0032 The file system metadata snapshot tree associated with the backup snapshot may be traversed to determine a total amount of data that was added since a previous backup snapshot. An incremental backup snapshot with a large amount of data may indicate that the primary system was infected with malicious software because the malicious software may encrypt portions of the primary system). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Warwick to include the teachings of Gaurav. The motivation for doing so is to allow the system to efficiently restore clean backup snapshot (Gaurav - Fig.8, ¶ 0214-¶ 217). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOUNES NAJI whose telephone number is (571)272-2659. The examiner can normally be reached Monday - Friday 8:30 AM -5:30 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A Louie can be reached at (571) 270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /YOUNES NAJI/Primary Examiner, Art Unit 2445
Read full office action

Prosecution Timeline

Jan 29, 2025
Application Filed
Jun 17, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12665749
MIGRATING SECRETS FROM A CLOUD ENVIRONMENT TO A LOCAL SYSTEM
3y 3m to grant Granted Jun 23, 2026
Patent 12659322
Systems and methods for identifying legitimate network traffic imitation
2y 2m to grant Granted Jun 16, 2026
Patent 12647495
METHODS AND APPARATUS TO IDENTIFY MAIN PAGE VIEWS
1y 8m to grant Granted Jun 02, 2026
Patent 12640930
REDUCING NETWORK LOAD AND LEAD TIME FOR SIGNING A PACKAGE MANAGER FILE
2y 11m to grant Granted May 26, 2026
Patent 12627693
CYBER-ATTACK TRACKING METHOD AND DEVICE USING BEHAVIOR EVENT-BASED RELATIONSHIP DATA COLLECTED FROM MULTIPLE DOMAINS, AND STORAGE MEDIUM STORING INSTRUCTIONS TO PERFORM CYBER-ATTACK TRACKING METHOD
1y 11m to grant Granted May 12, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
75%
Grant Probability
99%
With Interview (+73.1%)
2y 11m (~1y 5m remaining)
Median Time to Grant
Low
PTA Risk
Based on 443 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month