Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to RCE filed on 2/5/2021. Claims 1-24 are canceled. Claims 25 and 41 are independent. Claims 25-50 are currently pending.

Response to Argument
Rejection to 25-50 under 35 U.S.C. 103 is withdrawn, in view of Remarks filed on 2/5/2021 and both Applicant’s and Examiner’s amendments .

Examiner's Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Applicant’s representative William W. Schaal Registration No. 39018 on 2/23/2021.

BEGAIN AMENDMENT
25.	(Currently Amended) A computerized method comprising:
s indicative of malware or a determination of a presence of malware during the execution of the suspicious object; and
subsequent to and based on the analytic results including a first event or the determination of the presence of malware, the second instrumentation being and selected to provide further analysis of the suspicious object for malwareguest  and the changing of the first instrumentation comprises changing logic associated with a process of the virtual machine running as part of a host virtual system.

26.	(Currently Amended) The computerized method of claim 25, wherein the guest 

a presence of malware within a second object the second object by the virtual machine.2

29.	(Currently Amended) The computerized method of claim [[25]]51, wherein the first event includes a timeout where no exploit has been detected during execution of the suspicious object for at least a predetermined amount of time.

30.	(Currently Amended) The computerized method of claim 25, wherein the determination of the presence of the malware 

31.	(Currently Amended) The computerized method of claim 25, wherein the first event comprises a detection of an access to a particular memory address range within a memory device.

32.	(Currently Amended) The computerized method of claim [[25]]51, wherein the reconfiguring of the virtual machine is conducted to direct has an increased likelihood, based on the analytic results, of being 

33.	(Currently Amended) The computerized method of claim 25[[32]], wherein the reconfiguring of the virtual machine is conducted so that changes to the virtual machine are transparent to a guest virtual system of the virtual machine, the guest virtual system including a guest operating system.

 35.	(Currently Amended) The computerized method of claim 25[[32]], wherein the configuring of the virtual machine with the first instrumentation further comprises uploading initial virtual machine configuration data to an instrumentation control logic, the initial virtual machine configuration data representing the first instrumentation and including a starting state for the virtual machine.

38.	(Currently Amended) The computerized method of claim 35, wherein the automatically reconfiguring of the virtual machine comprises changing operations of the virtual machine running as part of [[a]]the host virtual system for detecting exploits associated with network traffic including the suspicious object while preserving state information associated with the of the virtual machine while the guest 

39.	(Currently Amended) The computerized method of claim 25, wherein the automatically reconfiguring of the virtual machine comprises interrupting operations of the virtual machine to change an instrumentation of the virtual machine for at least the 

40.	(Currently Amended) The computerized method of claim 25, wherein the automatically reconfiguring of the virtual machine comprises interrupting operations of the virtual machine to change an instrumentation for at least the 

41.	(Currently Amended) A system for detecting malware, comprising:
a processor; and 
a non-transitory storage medium containing stored software non-transitory storage medium :
	a virtual machine configured to operate s 	indicative of malware or a determination of a presence of malware during the 	execution 
	instrumentation control logic executed by the processor, the 	instrumentation control logic to automatically reconfigure the virtual machine with 	a second instrumentation subsequent to and based on the analytic results 	including a first event or the determination of the presence of malware,  and selected to 	provide further analysis of the suspicious object for malware,
	wherein the reconfiguring of the virtual machine comprises dynamically 	changing the first instrumentation of the virtual machine to the second 	instrumentation while a guest application operating within the virtual machine 	continues to run and the changing of the first instrumentation comprises 	changing logic associated with a process of the virtual machine running as part of 	a host virtual system

42.	(Currently Amended) The system of claim 41, wherein the guest 

43.	(Currently Amended) The system of claim 41, wherein the instrumentation control logic to further reconfigure the virtual machine by at least dynamically changing an operating state of the virtual machine from a first operating state to a second operating state to more accurately detect a presence of malware within a second object the second object by the virtual machine while preserving a state of operation as perceived by the guest operating system.

45.	(Currently Amended) The system of claim 41, wherein [[the]]first event of the events includes either (i) a timeout where no exploit has been detected during execution of the suspicious object for at least a predetermined amount of time, or (ii) a detection of an exploit associated with the suspicious object based on the analytic results produced in the execution of the suspicious object within the virtual machine, or (iii) a detection of an access to a particular memory address range within a memory device.

46.	(Currently Amended) The system of claim 41, wherein the instrumentation control logic to reconfigure the virtual machine in order to direct a type of malware or the malware family that could be 

49.	(Currently Amended) The system of claim 41, wherein the instrumentation control logic configured to (i) detect [[the]]the first 

51.	(New) The computerized method of claim 25, wherein in response to the first event being a first type of event, selecting the second instrumentation that is directed to (i) detecting a type of malware that could be present within the suspicious object or (ii) detecting a malware family to which the detected malware is a member.

52.	(New) The computerized method of claim 25, wherein in response to the first event corresponding to a behavior associated with execution of the suspicious object being binary code, selecting the second instrumentation to analyze the binary code at an opcode level and a malware analysis of the suspicious object conducted by the virtual machine with the second instrumentation being more accurate than a continued analysis of the suspicious object conducted by the virtual machine with the first instrumentation.

53.	(New) The computerized method of claim 25, wherein in response to the first event corresponding to a behavior associated with execution of network traffic provided to the virtual machine, selecting the second instrumentation to alter virtual machine instrumentation to provide a more complete malware analysis of the suspicious object than further analyses of the suspicious object conducting by the virtual machine with the first instrumentation.

54.	(New) The computerized method of claim 25, wherein in response to the analytic results including the determination of the presence of malware, analyzing characteristics of the determined malware and selecting the second instrumentation targeted for future malware analyses directed to a type of the determined malware or malware types having a certain amount of correlation with the determined malware.

55.	(New) The computerized method of claim 25, wherein the virtual machine comprises the host virtual system and a guest virtual system.

56.	(New) The computerized method of claim 55, wherein the changing of the first instrumentation by reconfiguring the virtual machine with the second instrumentation remains transparent to the guest virtual system.

57.	(New) The computerized method of claim 25, wherein the determined malware is a particular exploit.

58.	(New)  The computerized method of claim 33, wherein the changes to the virtual machine include the reconfiguring of the virtual machine with the second instrumentation.
END AMENDMENT

Allowable Subject Matter
Claims 25-58 are allowed.
The following is an examiner’s statement for allowance:
This communication warrants No Examiner's Reason for Allowance. Applicant’s Remarks of 2/5/2021 on pp. 8-10 and both Applicant’s amendment of 2/5/2021 and Examiner’s amendment of 2/23/2021 make evident the reasons for allowance, satisfying the "record as a whole" proviso of the rule 37 CFR 1.104(e). As such the reasons for allowance are in all probability evident from the record and no statement is deemed necessary (see MPEP 1302.14).
 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday - Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHU CHUN GAO/Examiner, Art Unit 2437 

/ALI S ABYANEH/Primary Examiner, Art Unit 2437