T 2380/12 (Disassociated images/SYMANTEC) of 20.12.2018

European Case Law Identifier: ECLI:EP:BA:2018:T238012.20181220
Date of decision: 20 December 2018
Case number: T 2380/12
Application number: 03746118.3
IPC class: G06F 9/445
Language of proceedings: EN
Distribution: D
Download and more information:
Decision text in EN (PDF, 341 KB)
Documentation of the appeal procedure can be found in the Register
Bibliographic information is available in: EN
Versions: Unpublished
Title of application: USING DISASSOCIATED IMAGES FOR COMPUTER AND STORAGE RESOURCE MANAGEMENT
Applicant name: Symantec Corporation
Opponent name: -
Board: 3.5.06
Headnote: -
Relevant legal provisions:
European Patent Convention 1973 Art 56
European Patent Convention Art 123(2)
Keywords: Inventive step - (no)
Amendments - added subject-matter (no)
Catchwords:

-

Cited decisions:
-
Citing decisions:
-

Summary of Facts and Submissions

I. The appeal is directed against the decision of the examining division, dated 9 July 2012, to refuse application No. 03746118.3 for lack of inventive step of auxiliary request II over document:

D1 WO 99/63434 A1.

The remaining five requests were not admitted into the procedure (Rule 137(3) EPC) for prima facie not complying with Article 123(2) EPC and/or Article 56 EPC 1973.

II. A notice of appeal was received on 3 September 2012. The appeal fee was paid on the same day. A statement of grounds of appeal was received on 8 November 2012, containing a main request and auxiliary requests I to IX. Oral proceedings were requested.

III. In a communication dated 19 April 2018, the rapporteur raised an objection of lack of inventive step without citing a document. The objection with respect to Article 123(2) EPC was considered void.

IV. In a letter dated 17 August 2018, the appellant submitted arguments and filed auxiliary request X.

V. In its summons to oral proceedings, the board gave further reasons why the claims (including auxiliary request X) lacked an inventive step.

VI. In a letter dated 4 December 2018, the appellant submitted further arguments and informed the board that the appellant intended not to attend the oral proceedings.

VII. Oral proceedings were held on 20 December 2018 in the absence of the appellant, as announced. At their end, the board announced its decision.

VIII. The appellant requests that the decision be set aside and that the case be remitted with the order to grant a patent based on the main request or one of auxiliary requests I to IX, filed with the grounds of appeal, or auxiliary request X, filed on 17 August 2018.

The other application documents are the same as in the appealed decision, with the exception of some replacement pages for the description as specified in the grounds of appeal, page 8.

IX. Claim 1 of the main request reads as follows:

"1. A method of computer resource management, comprising the steps of:

receiving (302), at a management node that comprises at least one management computer (110), at least one ample image (104) captured from an existing computer (102) that is distinct from the management computer, the ample image comprising a copy of at least a portion of storage of the existing computer (102) comprising at least file names, file contents, and sector allocation information;

mounting the ample image (104) within a management environment at the management node to make the ample image accessible within the management environment; and

modifying, at the management node, the ample image, by repairing at least one file within the ample image;

deploying the modified ample image from the management node to a computer that is distinct from the management node."

X. Beside some editorial changes, claim 1 of auxiliary request I mainly differs from that of the main request in that the following is inserted between the step of receiving and that of mounting:

"characterized in that:

the ample image is captured from an existing computer and is thus disassociated from the existing computer in that the ample image is located at the management node and the management node is distinct from the existing computer;"

XI. Claim 1 of auxiliary request II differs from that of auxiliary request I in that the following passage is inserted between the step of receiving and that of capturing:

"obtaining, at the management node, meta-data that is structurally associated with the ample image (102);

indexing the ample image into a collection of ample images at the management node such that the ample image can be located by using at least part of the meta-data as a key, characterized in that:"

and in that the steps of modifying and deploying are replaced by:

"the ample image is modified at the management node by:

detecting a virus in at least one infected file within the ample image,

repairing the infected file."

This means that no deploying is taking place.

XII. Claim 1 of auxiliary request III differs from that of auxiliary request II in that the steps of capturing, mounting and modifying are replaced by:

"mounting the ample image within a management environment within the management node to make the ample image accessible within the management environment, characterized in that:

at least one the ample image is captured from an existing computer (102) and is thus disassociated from the existing computer in that the ample image is located at the management node and the management node is distinct from the existing computer, and by

modifying the ample image by handling viruses by detecting viruses and then repairing the infected files."

XIII. Claim 1 of auxiliary request IV differs from that of auxiliary request II in that the following is added at the end:

"the modified ample image is deployed from the management node to a computer that is distinct from the management node."

XIV. Claim 1 of auxiliary request V differs from that of auxiliary request III in that the following text is added at the end:

"and deploying the modified ample image (104) to at least one of: the existing computer (102), another computer that is distinct from the management node."

XV. Claim 1 of auxiliary request VI differs from that of auxiliary request V in that the step of deploying is replaced by:

"deploying the modified ample image (104) to the existing computer (102) from which the ample image was captured."

XVI. Claim 1 of auxiliary request VII differs from that of auxiliary request V in that the step of deploying is replaced by:

"deploying the modified ample image (104) to another computer that is distinct from both the management node and the existing computer (102) from which the ample image was captured."

XVII. Claim 1 of auxiliary request VIII differs from that of auxiliary request VI in that the steps of obtaining and indexing are replaced by:

"obtaining, at the management node, meta-data that is structurally associated with the ample image (102), the meta-data including a computer name of the existing computer;

indexing the ample image into a collection of ample images at the management node such that the ample image can be located by using at least the computer name of the existing computer as a key;".

XVIII. Claim 1 of auxiliary request IX differs from that of auxiliary request VIII in that the steps of obtaining and indexing are replaced by:

"obtaining, at the management node, meta-data that is structurally associated with the ample image (102), the meta-data including a computer name of the existing computer and an image creation time of the received ample image;

indexing the ample image into a collection of ample images at the management node such that the ample image can be located by using at least the computer name of the existing computer and the image creation time as a key;".

XIX. Claim 1 of auxiliary request X reads as follows:

"1. A method of computer resource management, comprising the steps of: receiving (302), at a management node that comprises at least one management computer (110), at least one ample image (104) captured from an existing computer (102);

obtaining (304) at the management node meta-data that is structurally associated with the ample image;

indexing (306) the ample image into a collection of ample images such that the ample image can be located by using at least part of the meta-data as a key;

mounting the ample image (104) within a management environment at the management node, the management environment providing at least the ability to perform at least one file system type operation to read files and directories; and

identifying a suspect file within the ample image;

tracking (602, 604) propagation of the suspect file over multiple computers using ample images of multiple existing computers (102) and/or tracking propagation of the suspect file over time using ample images of a particular existing computer that were created at different points in time;

modifying, at the management node, the ample image, by repairing the at least one file within the ample image, wherein the modified ample image differs from the image received by the management node (110) in one or more of the following ways: a change in application software; a change in driver software; a change in other software; a change in the partition table; a change in cluster size; a change in the folder in which given data is stored; a change in the partition in which data is stored; a change in status of a file infected by a virus; a change in status in an illegal file."

Reasons for the Decision

1. Summary of the invention

1.1 The application relates to distributing a collection of files (figure 1: "ample image 104"; see page 6, second and third paragraph) from a client computer (figure 1: "computer to be imaged 102") via a server computer ("management node 110") to a client computer (figure 3: "deploy (modified) ample image(s) 316"). The image is first built with the help of a conventional imaging tool from the hard-disk of the client computer (page 7, third paragraph). The image is then transmitted from the client to the server over a network or with the help of DVDs (page 11, last sentence; page 20, third paragraph). The image is made accessible on the server by a human system administrator mounting it as a standard folder/volume/partition/disk using an existing image mounting tool, such as V2i Protector (pages 9 and 21, second paragraph). The image is then - among others - scanned for viruses, and if necessary modified on the server by "repairing" one or more files in which a virus has been detected (page 22 lines 25-27; pages 18 and 24, last paragraph; see also figure 5 for the different modifying possibilities). The commands for these searching and modifying steps 310 and 312 are either input interactively by a human system administrator or by a script file containing the user commands (page 21, third paragraph). Thereafter, the modified image is transmitted ("deployed") from the server to another or the same client computer with the help of a familiar image deployment tool (paragraph bridging between pages 21 and 22).

1.2 To summarise the claimed method, an image of a client computer is transmitted to a server computer, scanned for viruses thereon, repaired if necessary, and transmitted to a client computer. Thus, the invention mainly consists in a combination of an imaging and a virus scanner program.

2. Original disclosure

As to the non-admittance of the main request and auxiliary requests I and III-V in the decision (10, 11, 14-16), the board is satisfied with the passages cited in the grounds of appeal, page 2, penultimate paragraph. They show that the objected (rather general) steps of modifying the ample image are indeed originally disclosed (Article 123(2) EPC).

3. Inventiveness

3.1 Although the board does not agree with the appealed decision that D1 is an appropriate starting point for assessing inventive step, it agrees with its overall finding that the claimed subject-matter lacks inventive step.

3.2 D1 is not an appropriate starting point, since it relates to creating a software configuration image on an "image builder" server computer according to the wishes of a purchasing customer (see Abstract), instead of extracting the image from an existing (model) computer, as in the application. It follows that D1 does not disclose the step of claim 1 of all requests of receiving at a server ("management node") an image of an existing (client) computer. The first passage of D1 cited in the decision (12.1) for the receiving step concerns a receiving step from one server ("image server") to another server ("management information system" or MIS; see page 5, lines 7-9). However, the image is not captured from the first server, but built from scratch at the first server. Furthermore, the second server (MIS) does not fulfill the rôle of the management node of the invention, namely to distribute files (see page 9, second paragraph for the whole disclosure in D1 about the MIS), but is merely a recipient of them (see figure 1). The second passage cited in decision section 12.1 does not relate to the invention of D1, but to prior art (page 1, lines 15-16; see also lines 14-15 and 17-18 for the prior art using model systems and distributing their images; see page 2, third paragraph for the fact that no model system is used in D1).

3.3 However, the board considers the claimed subject-matter to be (at most) a mere automation of the common behaviour of a human system administrator who wants to safely distribute a file collection (i.e. an image) of a model computer to other computers. He or she therefore builds the image to be distributed on the model computer with the help of a conventional imaging tool (see section 1.1 above) and transmits it to his/her server computer, either over a network or with the help of removable storage media (like DVDs; see again section 1.1). In order to safely distribute files, he or she would obviously consider running a virus scanner on the image before distributing the image to a computer. It can justifiably be assumed that it is best practice of a system administrator to always clean an image by running an antivirus scan before restoring any file of the image to a computer.

3.4 In any case, no technical effect can be seen in the claimed sequence of system administrator's actions with known software tools (image builder, mounting tool, virus scanner) that would go beyond the usual effects these tools produce. Without such a technical effect, the claimed subject-matter lacks inventive step.

3.5 It appears that the launching of these actions is not even fully automated, but that the system administrator has to launch them manually (see page 17, second paragraph) or to program scripts which do so (page 21, third paragraph; in particular lines 19-20: "Commands may be subject to policies specified 606 by an administrator.").

3.6 As to the auxiliary requests, they either explicitly formulate features already implicitly present and considered in the discussion above (e.g. auxiliary request I: "the ample image is captured from an existing computer and is thus disassociated from the existing computer in that the ample image is located at the management node and the management node is distinct from the existing computer"), or the same argument as used above applies to their additional features. For example, using "meta-data" (auxiliary request II), such as the computer name (auxiliary request VIII) or the image creation time (auxiliary request IX) to find the image of the computer with that name, or the image which was created at that time does exactly what it is meant to do. Moreover, the description states that "conventional database indexing techniques and tools" are used for that purpose (page 14, second paragraph).

3.7 As to the newly filed auxiliary request X, the appellant wrote in its letter dated 17 August 2018 (page 1, paragraph 4) that it was a further restriction of the main request and auxiliary request II.

3.8 The board is not convinced of that, since both the deployment step of claim 1 of the main request and the virus-detection step of claim 1 of auxiliary request II are missing in claim 1 of auxiliary request X. Moreover the modifying step was generalised to subject-matter not relating to virus-checking (e.g. changes of the partition table, the cluster size or the folder/partition in which data is stored; see the last five lines of claim 1).

3.9 The newly added tracking step also has no relation to the other steps of claim 1. In particular, one of the most important steps, namely the modifying step, does not depend on the tracking step. All the more, as the tracking step does not produce a result upon which a later computation could depend. Thus, this new tracking step cannot establish an inventive step of the previously claimed method. Furthermore, its alleged effects (page 3, paragraph 4, last sentence: facilitating forensic investigations, saving administrative overhead) are not considered by the board to possess technical character.

3.10 Therefore, the subject-matter of all requests is considered not to be inventive.

3.11 The appellant argues on page 3, first paragraph of its letter dated 17 August 2018 that it was not common for a human system administrator to perform an antivirus scan on an image of a different computer than the computer on which the administrator was operating.

3.12 However, the passage in the original description (page 3, last paragraph), cited in the reply (middle of page 2), states that "although many tools are used to ..., relatively little has been done to make use at a network management computer of information provided there in a backup copy of another computer's stored data". This explicitly states that the prior art comprises some programs ("tools") which automate and support the analysis and management of a client computer's image at a server computer.

3.13 For the board, it follows that it was not only common for the human system administrator to perform a "remote" analysis and management of an image "by hand" (i.e. using existing imaging tools, image mounting tools, virus scanners and image deployment tools; see the communication, section 1), but there were already before the priority date of the application some (albeit "relatively little") programs to automate this task.

3.14 In its letter dated 4 December 2018 (page 3, third paragraph), the appellant argues that "relatively little" meant "nothing or virtually nothing".

3.15 The board is not convinced by that. It is clear that "relative little" does not mean "nothing" in this context. Furthermore, the term "virtually nothing" (not used in the description passage) is not clearer than "relative little", but anyway means more than nothing. Therefore, in terms of programs, it follows that at least one program existed before the priority date which "make[s] use at a network management computer of information provided there in a backup copy of another computer's stored data". This implies that it was at least common to a skilled person to automate the task of remotely analysing and managing an image of another computer.

3.16 Thus, it is confirmed that the claimed subject-matter lacks inventive step.

Order

For these reasons it is decided that:

The appeal is dismissed.

Quick Navigation