DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06/26/2020 has been entered.
 Response to Arguments
Applicant’s remarks filed on 06/26/2020 have been fully considered. 
Regarding claim[s] 26, 45, under the obviousness rejection, applicant’s remarks are not persuasive, therefore, see the examiner’s response to such remarks in the office action below. 
The examiner will address all other remarks that do not concern the prior art rejections, if any, in the office action below. 
Applicant states on page[s] 24 of the remarks as filed: “……..Song also does not include a policy or rule applied to executable applications to separate an unknown executable application.”

…….identifying an unknown executable application based on at least one rule [Song, paragraph 0031, Alternatively, detector 1030 can redirect communication protocol messages and/or any other incoming traffic that is deemed to be anomalous [i.e. applicant’s identifying an unknown executable application] to a shadow server (which may be part of server computer 1070). The shadow server can be used to run application programs that ultimately use communication protocol messages and/or incoming traffic. For example, a shadow server and server computer 1040 can be configured to have the same software programs running, except that the shadow server can be operating in a protected environment using an emulator, virtual machine, sandbox [i.e. applicant’s rule] or other suitable mechanism for protecting server 1040 from potential code injection attacks or any other suitable attacks], said at least one rule applied to executable applications to separate said unknown executable application from said executable applications [Muyres, paragraph: 0150, lines 11 – 16, A "Try Before You Buy" (TBYB) asset 22 can be made available in a form [i.e. applicant’s at least one rule applied to....], say, limited by maximum number of tries, maximum time, or maximum duration. Such a TBYB type asset 22 can may be either "wrapped" in a digital wrapper 60, and limited to running in a protected environment [i.e. applicant’s…separate said unknown executable application from said executable applications]]
***The examiner’s response above applies to applicant’s same or similar remarks made on page[s] 24 and 25 & 26 and 27 regarding claim[s] 26, 45 of the remarks as filed. 

Applicant states on page[s] 24 and 25 of the remarks as filed: “Further, as noted in a prior response, the Song reference does not disclose the sandbox on the client system with redirecting file system modifications and registry modification to an isolated storage area on the client system at the handheld device or computer, with performing behavior analysis as in the amended claims. With Song, any reference to a sandbox is on a server. (See, Song para. ([0031). In Song, the sandbox reference is as follows:
... .except that the shadow server can be operating in a protected environment using an emulator, virtual machine, sandbox or other suitable mechanism for protecting server 1040 from potential code injection attacks or any other attacks.
(Song, para. [0031], lines 13-16)
In fact, Song distinguishes the client computer as reference number 1010 in Song (See, Song Fig. 1A and Fig. IB) from the server 1040, the detector as reference number 1030 or 1050 and communication network (reference number 1030). The Examiner’s interpretation of Song is misplaced as the Examiner is citing to the detector 1030 or 1050 or communication network 1030 or the server 1040 in Song at para. [0031] and this is not the client computer (reference number 1010). This is different from the present invention as the sandbox is located on the computer or handheld device of the end user, not on the server as indicated by Song reference number 1040. ”
shadow server (which may be part of server computer 1070) [i.e. applicant’s client computer]. The shadow server can be used to run application programs that ultimately use communication protocol messages and/or incoming traffic. For example, a shadow server and server computer 1040 can be configured to have the same software programs running, except that the shadow server can be operating in a protected environment using an emulator, virtual machine, sandbox [i.e. applicant’s sandbox] or other suitable mechanism for protecting server 1040 from potential code injection attacks or any other suitable attacks. This meets applicant’s argument of: “……the Song reference does not disclose the sandbox on the client system……,”  this also meets applicant’s argument of: “This is different from the present invention as the sandbox is located on the computer or handheld device of the end user, not on the server as indicated by Song reference number 1040. ”
	Further of Song at paragraph 0031, Alternatively, detector 1030 can redirect communication protocol messages and/or any other incoming traffic [i.e. redirect] that is deemed to be anomalous to a shadow server (which may be part of server computer 1070) [i.e. applicant’s client computer]. The shadow server can be used to run application programs that ultimately use communication protocol messages and/or incoming traffic [i.e. applicant’s applications]. Where at paragraph: 0046, In yet another example, the attacker can use attacker computer 1080 to perform a Structure Query Language (SQL) injection attack that attempts to print the elements of a restricted table [i.e. applicants file system and registry modification]. An example of a SQL injection attack is as follows: [0047] http://www.vulnerable.com/retrieve.php?paperID='/**/union/**/select/**/0,- concat(username,0x3a,password)/**/from/**/users/*. Where at paragraph 0031, lines 8 – 16, The shadow server can be used to run application programs that ultimately use communication protocol messages and/or incoming traffic. For example, a shadow server [i.e. applicants sandbox located on a computer] and server computer 1040 can be configured to have the same software program running, except that the shadow server can be operating in a protected environment using an emulator, virtual machine, sandbox [i.e. applicant’s isolated storage area on the client system at the handheld device or computer ] or other suitable mechanism for protecting server 1040 from potential code injection attacks or any other suitable attacks. This meets applicant’s arguments of: “the Song reference does not disclose the sandbox on the client system with redirecting file system modifications and registry modification to an isolated storage area on the client system at the handheld device or computer.”
***The examiner’s response above applies to applicant’s same or similar remarks made on page[s] 26 regarding claim[s] 26, 45 of the remarks as filed.

Applicant states on page[s] 25 of the remarks as filed: “The Muyres reference does not remedy the shortcomings of the Song reference. In Muyres, there is no mentioning of the specific process for sandbox redirecting file system modifications and registry modification to an isolated storage area on the client system. As noted above, Muyres is for a client content management and distribution system and describes an encryption key for purchasing or try-before you buy software, similar to a product activation key. This is not a sandbox as in the present amended claims 20, 21, and 26.”
In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
The examiner points out that applicant’s argued claim limitation was clearly rejected by the prior art of Song. The examiner point’s applicant’s attention to the examiner’s previous comment above regarding the prior art of Song and the argued claim limitation of: “….Muyres, there is no mentioning of the specific process for sandbox redirecting file system modifications and registry modification to an isolated storage area on the client system….”
***The examiner’s response above applies to applicant’s same or similar remarks made on page[s] 26 regarding claim[s] 26, 45 of the remarks as filed.
Applicant states on page[s] 25 and 26 of the remarks as filed: “It is also respectfully noted that the Examiner appears to have overlooked the claim limitations of claims 20, 21 and 26. On page 8 of the present Office Action, the Examiner states the features upon which applicant relies (i.e......an application (or unknown executable application)) are not recited in the rejected claim(s).” This is an incorrect statement as claim 20 states the feature of “an executable application” and claim 26 recites the feature of “unknown executable application.” Additionally, the claim amendment to claim 26 now includes an unknown executable application separated from executable applications by applying the at least one rule.

Accordingly, for at least the above reasons, the combination/modification of Song with Muyres fails to result in essential features of the independent claims; thus, the combination/modification cannot render Applicant’s amended independent claims 20, 21, and 26 obvious under §103. Reconsideration and withdrawal of this ground of rejection are respectfully requested.”
	In response the examiner isn’t persuaded, the examiner points out that applicant’s argument regarding claim # 20 and the recited “executable application,” is an unknown application; respectfully, the examiner points out that merely reciting the phrase “executable application,” would not delineate whether the application is unknown or known. This simply can’t be done. As to claim # 26, and the recited: “unknown application,” this claim language does recite that the application is unknown. The prior art of Song, makes obvious this unknown application feature, by observing whether an application is anomalous or not, given the BRI of the claimed unknown application. See paragraph: 0031 of Song. 
Applicant states on page[s] 27 and 28 of the remarks as filed: “In the Office Action of December 26, 2019 at page 11, the Examiner has incorrectly stated that claims 42 and 45 were not amended to include the limitations which the applicant was arguing. (“The examiner notes that applicant has not amended claim[s] 42, 45 as argued on page[s] 41 of the remarks as filed.”). Claims 42 and 45 are dependent claims and include the limitations of claims 20 and 26, which were amended with the prior said sandbox redirecting file system modifications and registry modifications to an isolated storage area on said computer or handheld device.” Yet, the Examiner has stated on page 11-12 of the present Office Action “it is noted that the features upon which applicant relies (i.e. The Muyres reference does not remedy the shortcomings of the Song reference. In Muyres, there is no mentioning of the specific process for sandbox redirecting file system modifications and registry modification to an isolated storage area on the client system.) are not recited in the rejected claims.” (emphasis in original). Applicant respectfully notes that the Examiner has overlooked the amendments which were made to the independent claims 20 and 26 in the prior response and incorporated into the dependent claims 42 and 45.”
In response the examiner isn’t persuaded, the examiner points out the examiner has not overlooked applicant’s recited claim language, as alleged by applicant. The examiner points out that applicant’s argued claim limitation was clearly rejected by the prior art of Song in the previous office action. The examiner point’s applicant’s attention to the examiner’s previous comment regarding the prior art of Song and the argued claim limitation of: “….Muyres, there is no mentioning of the specific process for sandbox redirecting file system modifications and registry modification to an isolated storage area on the client system….”
Applicant states on page[s] 28 of the remarks as filed: “Nor does Libenzi remedy the shortcomings of the Song reference alone or in combination with Muyres. In Libenzi, there is no mentioning of the specific process for the sandbox on the client system with 
Therefore, it is respectfully requested that the rejection to the claim based on Song in view of Muyres and Libenzi be removed.”
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Response to Amendment
Status of the instant application:
Claim[s] 1 – 6, 8 – 12, 14 – 30, 32 – 36, 38 – 48 are pending in the instant application. 
Regarding claim[s] 20, 21, 42, under the obviousness rejection, applicant’s newly added claim amendments have been considered, and are persuasive, therefore, the rejections are withdrawn. 
Regarding claim[s] 26, 45, under the obviousness rejection, applicant’s newly added claim amendments have been considered, but are not persuasive. The examiner has addressed applicant’s newly added claim amendments in the office action below.
Double Patenting
Regarding claim[s] 1, 4 – 6, 8, 10 – 12, 16 – 19, 27 – 30, 32, 36 rejected on grounds of non – statutory obvious type double patenting rejection over claim[s] 1, 4 – 6, 8, 10 – 12, 16 – 19, 27 – 30, 32, 36 of US PAT # 10313373, applicant’s disclaimer filed on 06/24/2020 was approved on 06/27/2020, therefore, the rejections are withdrawn. 
Claim Rejections - 35 USC § 101
Regarding claim[s] 8 – 13, 39 under the rejection for non – statutory subject matter, applicant’s claim amendments have been considered and amount to significantly more than the previously identified abstract idea’s, therefore, the rejections are withdrawn. 

Regarding claim[s] 18, 19, 41 under the rejection for non – statutory subject matter, applicant’s claim amendments have been considered and amount to significantly more than the previously identified abstract idea’s, therefore, the rejections are withdrawn.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claims[s] 26 is/are rejected under 35 U.S.C. 103 as being unpatentable over Song et al. [US PGPUB # 2011/0167493] in view of Muyres et al. [US PGPUB # 2001/0010046]
As per claim 26. Song does teach a method to securely deliver executables to an end user [paragraph 0022, lines 5 – 9, In another example, a network-situated sensor can be provided that monitors incoming communication protocol messages or any other suitable content to a web server and determines if a portion of the content is anomalous] comprising: 
monitoring network traffic [figure # 1b and paragraph 0032, lines 8 – 11, For example, as shown in FIG. 1B, detector 1050 may operate as a packet sniffer that monitors network traffic flowing between the communication network 1030 and server computer 1070];
identifying an unknown executable application based on at least one rule [paragraph 0031, Alternatively, detector 1030 can redirect communication protocol messages and/or any other incoming traffic that is deemed to be anomalous [i.e. applicant’s identifying an unknown executable application] to a shadow server (which may be part of server computer 1070). The shadow server can be used to run application programs that ultimately use communication protocol messages and/or incoming traffic. For example, a shadow server and server computer 1040 can be configured to have the same software programs running, except that the shadow server can be operating in a protected environment using an emulator, virtual machine, sandbox [i.e. applicant’s rule] or other suitable mechanism for protecting server 1040 from potential code injection attacks or any other suitable attacks]…….. 
Sending an alert to the end user to run the unknown executable application in a sandbox [paragraph 0031, In some embodiments, detector 1030 is a network-situated sensor that analyzes incoming communication protocol messages and/or other incoming traffic and issues alerts for communication protocol messages that are deemed to be anomalous. Alternatively, detector 1030 can redirect communication protocol messages and/or any other incoming traffic that is deemed to be anomalous to a shadow server (which may be part of server computer 1070). The shadow server can be used to run application programs that ultimately use communication protocol messages and/or incoming traffic. For example, a shadow server and server computer 1040 can be configured to have the same software programs running, except that the shadow server can be operating in a protected environment using an emulator, virtual machine, sandbox or other suitable mechanism for protecting server 1040 from potential code injection attacks or any other suitable attacks]; 
sending the unknown executable application to said sandbox located on a computer or handheld device of an end user [paragraph: 0031, lines 5 – 8, Alternatively, detector 1030 can redirect communication protocol messages and/or any other incoming traffic that is deemed to be anomalous to a shadow server (which may be part of server computer 1070)], said sandbox redirecting file system modifications  and registry modifications [paragraph: 0046, In yet another example, the attacker can use attacker computer 1080 to perform a Structure Query Language (SQL) injection attack that attempts to print the elements of a restricted table [i.e. applicants registry modification]. An example of a SQL injection attack is as follows: [0047] http://www.vulnerable.com/retrieve.php?paperID='/**/union/**/select/**/0,- concat(username,0x3a,password)/**/from/**/users/*] to an isolated storage area on said computer or handheld device [paragraph 0031, lines 8 – 16, The shadow server can be used to run application programs that ultimately use communication protocol messages and/or incoming traffic. For example, a shadow server [i.e. applicants sandbox located on a computer] and server computer 1040 can be configured to have the same software program running, except that the shadow server can be operating in a protected environment using an emulator, virtual machine, sandbox or other suitable mechanism for protecting server 1040 from potential code injection attacks or any other suitable attacks]. 
Song does not clearly teach………. said at least one rule applied to executable applications to separate said unknown executable application from said executable applications.
 Preventing the unknown executable application from communicating instructions with an agent existing on the computer or handheld device of the end user.
However, Muyres does teach……….. said at least one rule applied to executable applications to separate said unknown executable application from said executable applications [paragraph: 0150, lines 11 – 16, A "Try Before You Buy" (TBYB) asset 22 can be made available in a form [i.e. applicant’s at least one rule applied to....], say, limited by maximum number of tries, maximum time, or maximum duration. Such a TBYB type asset 22 can may be either "wrapped" in a digital wrapper 60, and limited to running in a protected environment [i.e. applicant’s separate said unknown executable application from said executable applications]].
Preventing the unknown executable application from communicating instructions with an agent existing on the computer or handheld device of the end user [paragraph 0150, lines 11 – 17, A "Try Before You Buy" (TBYB) asset 22 can be made available in a form, say, limited by maximum number of tries, maximum time, or maximum duration. Such a TBYB type asset 22 can may be either “wrapped” in a 
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Song and Muyres in order for the detector monitoring the network traffic flowing between parties of the communication network and the server of Song to include authenticating the communicating parties by using public key infrastructure of Muyres. This would allow for the monitoring of the parties by verifying the identity of the suspected parties that originated such monitored network traffic. See paragraph 0078 of Muyres.
Claim[s] 45 is/are rejected under 35 U.S.C. 103 as being unpatentable over Song et al. [US PGPUB # 2011/0167493] in view of Muyres et al. [US PGPUB # 2001/0010046] as applied to claim[s] 26 above, and further in view of Libenzi et al. [US PAT # 6745192].
As per claim 45. Song and Muyres do teach what is taught in the rejection of claim 26 above. 
Song and Muyres do not teach clearly the method of claim 26 wherein said unknown executable application is from an email with an executable application which said email claims is not an executable application; 
said email originating from a sender which has not previously communicated with the recipient of said email.
However, Libenzi does teach the method of claim 26 wherein said unknown executable application is from an email with an executable application which said email claims is not an executable application [Col. 1, lines 23 – 26, Computer viruses, or simply "viruses," are executable programs or procedures, often masquerading [i.e. applicant’s said emails claims is not an executable application] as legitimate files, messages or attachments that cause malicious and sometimes destructive results. Also, at col. 1, lines 29 – 33, Viruses travel between machines over network connections or via infected media and can be executable code disguised as application programs, functions, macros, electronic mail (email) attachments]; 
said email originating from a sender which has not previously communicated with the recipient of said email [col. 4, lines 5 – 7, Optionally, a firewall 20 can provide limited security to the intra-network 14 by providing filtering of packets originating from unauthorized users [i.e. applicant’s a sender which has not previously communicated…etc]].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Song as modified and Libenzi in order for the detector monitoring the network traffic flowing between parties of the communication network and the server of Song as modified to include a specialized antivirus system that intercepts the network traffic of Libenzi. This would allow for the protection of the client and servers from viruses, malware sent from external networks from anomalous network communications data. See col. 1, lines 60 – 67 of Libenzi. 
Allowable Subject Matter
Claim[s] 1 – 6, 8 – 12, 14 – 25, 27 – 30, 32 – 36, 38 – 44, 26 - 48 contain allowable subject matter, but as allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with. See 37 CFR 1.111 (b) and MPEP § 707.07(a).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT B SHAIFER HARRIMAN whose telephone number is (571)272-7910.  The examiner can normally be reached on M - F: 8am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 
/DANT B SHAIFER HARRIMAN/           Primary Examiner, Art Unit 2434