DETAILED ACTION
This Office Action is in response to the communication filed on 09/12/2018. 
Claims 1-20 are pending. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f): 
(f) ELEMENT IN CLAIM FOR A COMBINATION.—An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph: 
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A) the claim limitation uses the term "means" or "step" or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B) the term "means" or "step" or the generic placeholder is modified by functional language, typically, but not always linked by the transition word "for" (e.g., "means for") or another linking word or phrase, such as "configured to" or "so that"; and 
(C) the term "means" or "step" or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word "means" (or "step") in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.

Claim limitations in this application that use the word "means" (or "step") are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word "means" (or "step") are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word "means," but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitations use a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not 
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph limitations: e.g. figs. 1-4, [0031], [0037], [0066]-[0067], [0074]-[0079] of the specification.
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Objections
Claim --1 is objected to because of the following informalities:  

"The steps of" as recited in line 3 of claim 1 should read "steps of"
Appropriate correction is required.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal 
Claims 1-16 and 19-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-16 and 19-20 of copending Application No. 16/129,087 in view of Allen (US 9,727,726).
Claims 1-16 and 19-20 of copending Application No. 16/129087 include most of the limitations recited in claims 1-16 and 19-20 of the instant application except for "requesting additional event data from the data recorder for at least one of other ones of the types of changes than the subset of the types of changes or other ones of the plurality of computing objects than the subset of the computing objects" as recited in claim 1, "transmitting a request from the threat management facility to the endpoint for additional event data from the data recorder" as recited in claim 6 and "by transmitting a request to the endpoint for additional event data stored by the data recorder" as recited in claim 19.
Allen discloses "requesting additional event data from the data recorder for at least one of other ones of the types of changes than the subset of the types of changes or other ones of the plurality of computing objects than the subset of the computing objects" as recited in claim 1, "transmitting a request from the threat management facility to the endpoint for additional event data from the data 
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Instant application 16/129,113
Copending application 16/129,087
1
1
2-5
2-5
6
6
7-16
7-16

19
20
20


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable Harris et al. (US 2016/0173510) in view of Allen (US 9,727,726).
Claim 1, Harris teaches:

instrumenting an endpoint with a local agent (e.g. fig. 2, [0082]: The local drift monitor 208 may monitor the drift 210 of a particular server 202 or a plurality of servers 202. The local drift monitor 208 may execute on each one of the servers 20..The local drift monitor 208 may be configured to detect a drift 210) to detect a plurality of types of changes to a plurality of computing objects; (e.g. fig. 2, [0083]-[0084]: The drift 210 may include a change in one or more executables 206 from the baseline 220 of one or more of the servers 202. In general, the drift 210 referred to here describes changes in a single server…relevant changes may include, without limitation, an update to an application, an installation of a new application, an addition of at least one of a new dynamic linked library (DLL), a resource file, an interpreted data file, a configuration file, and so forth. The drift 210 may also or instead include a process, a user, a data file, an endpoint, and so forth, or any change to the foregoing. The drift 210 may be caused by certain network targets of a URL, updating of a system configuration, installation of software, the opening, updating, or modification of files and the like, and so forth. Other items that may 
creating an event stream with the local agent including each type of change to each type of computing object detected on the endpoint; (e.g. [0082]-[0084], [0091]: The local drift monitor 208 may generate a drift report 222, which it then may provide to the threat management facility 204…Detection of any changes in configuration may be encapsulated in a drift report 222…The drift report 222 may describe which objects on a server 202 or system 200 have changed, or how they have changed when compared to the baseline 220…The drift report 222 may include the drift 210, and may additionally or alternatively provide additional 
storing the event stream in a data recorder on the endpoint; (e.g. [0082]-[0084], [0091]: The local drift monitor 208 may generate a drift report 222, which it then may provide to the threat management facility 204…Detection of any changes in configuration may be encapsulated in a drift report 222…The drift report 222 may describe which objects on a server 202 or system 200 have changed, or how they have changed when compared to the baseline 220…The drift report 222 may include the drift 210, and may additionally or alternatively provide additional information related to the drift 210. For example, the drift report 222 may include information pertaining to timing, values, content, source, context, and so forth)
processing the event stream at the endpoint to provide a event stream including a subset of the types of changes to a subset of the computing objects; (e.g. [0082]-[0084], [0091]: The local drift monitor 208 may generate a drift report 222, which it then may provide to the threat management facility 204…Detection of any changes in configuration may be encapsulated in a drift report 222…The drift report 222 may describe which objects on a server 202 or system 200 have changed, or how they have changed when compared to the baseline 220…The 
transmitting the event stream to a threat management facility; (e.g. [0082]-[0084], [0091]: The local drift monitor 208 may generate a drift report 222, which it then may provide to the threat management facility 204…Detection of any changes in configuration may be encapsulated in a drift report 222…The drift report 222 may describe which objects on a server 202 or system 200 have changed, or how they have changed when compared to the baseline 220…The drift report 222 may include the drift 210, and may additionally or alternatively provide additional information related to the drift 210. For example, the drift report 222 may include information pertaining to timing, values, content, source, context, and so forth)
processing the event stream at the threat management facility to evaluate a security state of the endpoint; and (e.g. [0084]-[0085]: The drift report 222…communicated to the threat management facility 204 for analysis (e.g., analysis by the analysis facility 212 using tools such as the global drift monitor 214 and the filter 216). The analysis facility 212 may provide a remote processing 
in response to a predetermined security state detected by the threat management facility. (e.g. [0085]: The analysis facility 212 may analyze and process the drift 210 or drift report 222, where a drift 210 or drift report 222 that deviates beyond a predetermined threshold sets off an alert or the like. The alert may include creating an Indication of Compromise ("IOC"), initiating a remedial action, or some combination thereof)
Harris teaches processing the event stream at the endpoint to provide an event stream, transmitting the event stream to a threat management facility, processing the event stream at the threat management facility, in response to a predetermined security state detected by the threat management facility, initiating a suitable remedial action (see above) and does not appear to explicitly teach but Allen teaches:
with a filter at the endpoint to provide a filtered event stream (e.g. col. 4, ll. 4-8, 26-30, col. 7, ll. 64-67, col. 9, ll. 61-64: The monitoring device 104 may also be communicatively coupled to the communications channel 108 such that at least a portion of the communications transmitted between the processor 102 and the protected memory 106 are replicated within the monitoring device 104…Once received by the monitoring device 104, the replicated communications may be filtered by one or more communications filters to determine if the communication contains one or more operations corresponding to the protected area of memory 106)
transmitting the filtered event stream to a threat management facility, (e.g. col. 4, ll. 38-43, col. 8, ll. 15-25: The one or more actions performed by the anomaly detector may include publishing information corresponding to the communication to an event stream. Publishing to the event stream may include transmitting information over a network to an administrative service)
processing the filtered event stream at the threat management facility, (e.g. col. 4, ll. 48-52, col. 8, ll. 23-42, 62-64, col. 13, ll. 14-35: The administrative service may then analyze the one or more events included in the event stream 804. For example, the administrative service may analyze the event by comparing the event to one or more previously encountered malicious attacks. The 
requesting additional event data from the data recorder for at least one of other ones of the types of changes than the subset of the types of changes or other ones of the plurality of computing objects than the subset of the computing objects. (e.g. col. 4, ll. 48-59, col. 8, ll. 59-67, col. 13, ll. 37-48:  Returning to FIG. 8, the process 800 includes determining one or more corrective actions 808. The one or more corrective actions may include requesting more data from the monitoring device associated with the possible intrusion or malicious attack in order to gather more information corresponding to the possible intrusion or malicious attack…The administrative service may then transmit the one or more corrective actions to the monitoring device associated with the particular event. In an embodiment, the one or more corrective actions may be transmitted directly to the computing system associated with the event)

Claim 2, Harris-Allen combination teaches:
wherein the plurality of computing objects includes a number of files. (e.g. Harris [0081], [0083])
Claim 3, Harris-Allen combination teaches:
wherein the plurality of computing objects includes a number of processes. (e.g. Harris [0081], [0083])
Claim 4, Harris-Allen combination teaches:
wherein the plurality of computing objects includes a number of executables. (e.g. Harris [0081], [0083])
Claim 5, Harris-Allen combination teaches:

Claim 6, Harris teaches:
A method comprising: 
receiving a event stream from an endpoint at a threat management facility for an enterprise network, (e.g. [0082]-[0084], [0091]: The local drift monitor 208 may generate a drift report 222, which it then may provide to the threat management facility 204…Detection of any changes in configuration may be encapsulated in a drift report 222…The drift report 222 may describe which objects on a server 202 or system 200 have changed, or how they have changed when compared to the baseline 220…The drift report 222 may include the drift 210, and may additionally or alternatively provide additional information related to the drift 210. For example, the drift report 222 may include information pertaining to timing, values, content, source, context, and so forth) the event stream including a subset of types of changes to a subset of computing objects from a plurality of types of changes to a plurality of computing objects monitored by a data recorder on the endpoint; (e.g. fig. 2, [0083]-[0084]: The drift 210 may include a change in one or more executables 206 from the baseline 220 of one or 
processing the event stream at the threat management facility to evaluate a security state of the endpoint; and (e.g. [0084]-[0085]: The drift report 222…communicated to the threat management facility 204 for analysis (e.g., analysis by the analysis facility 212 using tools such as the global drift monitor 214 and the filter 216). The analysis facility 212 may provide a remote processing resource for analyzing malicious activities and creating rules suitable for detecting drifts 210 or threats based on information received from the servers 202…The analysis facility 212 may analyze and process the drift 210 or drift report 222, where a drift 210 or drift report 222 that deviates beyond a predetermined threshold sets off an alert or the like. The alert may include creating an Indication of Compromise ("IOC"), initiating a remedial action, or some combination thereof)
in response to a predetermined change in the security state of the endpoint. (e.g. [0084]-[0085]: The analysis facility 212 may analyze and process the drift 210 or drift report 222, where a drift 210 or drift report 222 that deviates beyond a predetermined threshold sets off an alert or the like. The alert may include creating an Indication of Compromise ("IOC"), initiating a remedial action, or some combination thereof)

receiving a filtered event stream from an endpoint, (e.g. col. 4, ll. 38-43, col. 8, ll. 15-25: The one or more actions performed by the anomaly detector may include publishing information corresponding to the communication to an event stream. Publishing to the event stream may include transmitting information over a network to an administrative service) the filtered event stream including a subset of types of changes, (e.g. col. 4, ll. 4-8, 26-30, col. 7, ll. 64-67, col. 9, ll. 61-64: The monitoring device 104 may also be communicatively coupled to the communications channel 108 such that at least a portion of the communications transmitted between the processor 102 and the protected memory 106 are replicated within the monitoring device 104…Once received by the monitoring device 104, the replicated communications may be filtered by one or more communications filters to determine if the communication contains one or more operations corresponding to the protected area of memory 106)
filtered event stream at the threat management facility, (e.g. col. 4, ll. 48-52, col. 8, ll. 23-42, 62-64, col. 13, ll. 14-35: The administrative service may then analyze the one or more events included in the event stream 804. For example, the administrative service may analyze the event by comparing the event to one or more previously encountered malicious attacks. The administrative service may then detect a possible intrusion or malicious attack associated with a particular event 806 based at least in part on the analyzed event. For example, the administrative service may analyze the event and determine that possibly malicious code has been written into protected memory of the computing system. The administrative service may then detect the possible malicious attack based on the analysis)
transmitting a request from the threat management facility to the endpoint for additional event data from the data recorder. (e.g. col. 4, ll. 48-59, col. 8, ll. 59-67, col. 13, ll. 37-48: Returning to FIG. 8, the process 800 includes determining one or more corrective actions 808. The one or more corrective actions may include requesting more data from the monitoring device associated with the possible intrusion or malicious attack in order to gather more information corresponding to the possible intrusion or malicious attack…The administrative service may then transmit the one or more corrective actions to the monitoring 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Allen into the invention of Harris, the motivation for such an implementation would be for the purpose of enabling an administrative service to detect a possible intrusion or malicious attack associated with protected data and to request more data from the monitoring device associated with the possible intrusion or malicious attack in order to gather more information corresponding to the possible intrusion or malicious attack (Allen col. 4, ll. 26-30, col. 13, ll. 30-32, 40-43).
Claim 7, Harris-Allen combination teaches:
wherein the subset of computing objects includes one or more of a file, an executable, a process, a database, and a message. (e.g. Harris [0081], [0083])
Claim 8, Harris-Allen combination teaches:
The method of claim 6 wherein the subset of types of changes include at least one of a file read, a file write, a file copy, a file encrypt, a file decrypt, a 
Claim 9, Harris-Allen combination teaches:
The method of claim 6 further comprising correlating the filtered event stream to a malware event on the endpoint and searching for the malware event on one or more other endpoints coupled to the enterprise network based on a pattern of events in the filtered event stream. (e.g. Allen col. 13, ll. 26-29, col. 8, ll. 13-53)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Allen into the invention of Harris, the motivation for such an implementation would be for the purpose of enabling an administrative service to detect and prevent various malicious attacks on multiple computer systems (Allen col. 7, ll. 55-57).
Claim 10, Harris-Allen combination teaches:
storing the event stream at the threat management facility. (e.g. Harris [0084]-[0085])
Harris teaches storing the event stream at the threat management facility (see above) and does not appear to explicitly teach but Allen teaches:
filtered event stream at the threat management facility. (e.g. col. 4, ll. 38-43, col. 8, ll. 15-25) 
Same motivation as in claim 6 would apply.
Claim 11, Harris-Allen combination teaches:
storing an unfiltered event stream on the data recorder at the endpoint, the unfiltered event stream including additional ones of the plurality of types of changes to the plurality of computing objects. (e.g. Harris [0083]-[0084])
Claim 12, Harris-Allen combination teaches:
storing an unfiltered event stream on the data recorder at the endpoint, the unfiltered event stream including one or more of the plurality of types of changes to additional ones of the plurality of computing objects. (e.g. Harris [0083]-[0084])
Claim 13, Harris-Allen combination teaches:
wherein processing the event stream includes searching for potential malicious activity on the endpoint. (e.g. Harris [0085]).
Harris teaches processing the event stream (see above) and does not appear to explicitly teach but Allen teaches:
processing the filtered event stream. (e.g. col. 4, ll. 48-52, col. 8, ll. 23-42, 62-64, col. 13, ll. 14-35)

Claim 14, Harris-Allen combination teaches:
wherein processing the event stream includes searching for a security exposure on the endpoint. (e.g. Harris [0085])
Harris teaches processing the event stream (see above) and does not appear to explicitly teach but Allen teaches:
processing the filtered event stream. (e.g. col. 4, ll. 48-52, col. 8, ll. 23-42, 62-64, col. 13, ll. 14-35)
Same motivation as in claim 6 would apply.
Claim 15, Harris-Allen combination teaches:
when the event stream shows that the security state of the endpoint is compromised, initiating a remedial action. (e.g. Harris, e.g. [0084]-[0085]).
Harris teaches the event stream (see above) and does not appear to explicitly teach but Allen teaches:
the filtered event stream. (e.g. col. 4, ll. 48-52, col. 8, ll. 23-42, 62-64, col. 13, ll. 14-39)
Same motivation as in claim 6 would apply.
Claim 16, Harris-Allen combination teaches:

Harris teaches processing the event stream (see above) and does not appear to explicitly teach but Allen teaches:
processing the filtered event stream. (e.g. col. 4, ll. 48-52, col. 8, ll. 23-42, 62-64, col. 13, ll. 14-39)
Same motivation as in claim 6 would apply.
Claim 17, Harris-Allen combination teaches:
wherein the request from the threat management facility includes a request for all event data in an unfiltered event stream stored by the data recorder over a predetermined time window. (e.g. Allen col. 4, ll. 48-59, col. 8, ll. 59-67, col. 13, ll. 37-48).
Same motivation as in claim 6 would apply.
Claim 18, Harris-Allen combination teaches:
wherein the predetermined change in the security state of the endpoint includes an increased likelihood of malicious activity associated with the endpoint. (e.g. Harris [0084]-[0085]).
Claim 19, Harris teaches:
A system comprising: 

a threat management facility configured to receive the event stream from the endpoint and to process the event stream to evaluate a security state of the 
Harris teaches process the event stream with into an event stream, communicate the event stream to a remote resource, receive the event stream from the endpoint and to process the event stream, respond to a predetermined 
process the event stream with a filter into a filtered event stream (e.g. col. 4, ll. 4-8, 26-30, col. 7, ll. 64-67, col. 9, ll. 61-64: The monitoring device 104 may also be communicatively coupled to the communications channel 108 such that at least a portion of the communications transmitted between the processor 102 and the protected memory 106 are replicated within the monitoring device 104…Once received by the monitoring device 104, the replicated communications may be filtered by one or more communications filters to determine if the communication contains one or more operations corresponding to the protected area of memory 106)
communicate the filtered event stream to a remote resource (e.g. col. 4, ll. 38-43, col. 8, ll. 15-25: The one or more actions performed by the anomaly detector may include publishing information corresponding to the communication to an event stream. Publishing to the event stream may include transmitting information over a network to an administrative service)
receive the filtered event stream from the endpoint and to process the filtered event stream (e.g. col. 4, ll. 48-52, col. 8, ll. 23-42, 62-64, col. 13, ll. 14-35:  The administrative service may then analyze the one or more events included in 
by transmitting a request to the endpoint for additional event data stored by the data recorder. (e.g. col. 4, ll. 48-59, col. 8, ll. 59-67, col. 13, ll. 37-48:  Returning to FIG. 8, the process 800 includes determining one or more corrective actions 808. The one or more corrective actions may include requesting more data from the monitoring device associated with the possible intrusion or malicious attack in order to gather more information corresponding to the possible intrusion or malicious attack…The administrative service may then transmit the one or more corrective actions to the monitoring device associated with the particular event. In an embodiment, the one or more corrective actions may be transmitted directly to the computing system associated with the event)

Claim 20, Harris-Allen combination teaches:
wherein the threat management facility is further configured to initiate a remediation of the endpoint when the security state of the endpoint is compromised. (e.g. Harris [0080], [0084]-[0085])
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US 2015/0293954 teaches an events transformer 909 may further use the configuration information to transform some or all of the network data from capture component 905 and/or events from events generator 907 into one or 
US 2015/0312267 teaches a variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMIE C LIN whose telephone number is (571)272-7752.  The examiner can normally be reached on M-F 9:00AM -5:00PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/AMIE C. LIN/Examiner, Art Unit 2436