DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to an amendment filed on 12/21/2020.
Claims 1, 12 and 20 have been amended and claim 2 has been cancelled.
Applicant’s arguments/amendments with respect to pending claims 1 and 3-20 have been carefully considered and therefore the claims are rejected under new grounds. Examiner respectfully points out that this action is made final (see MPEP 706.07a).

Response to Arguments
Applicant’s arguments with respect to pending claims 1 and 3-20 have been carefully examined but they are considered moot in view of the new rejection.
.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting 

Claims 1, 3, 7, 9, 10, 12-13, 18 and 20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,540,494 in view of Morrissey et al. US 2014/0096246 (Morrisey). Claims 1-20 of US Patent No. 10,540,494 disclose most of the features of claims 1, 3, 7, 9, 10, 12-13, 18 and 20 of the instant application, except for the feature “wherein the first source identifier is determined based on monitoring network activity associated with a network transmission that downloads the first application”, similarly recited by claims 1, 12 and 20. However, such a feature is disclosed by US 2014/0096246 (Morrissey), which is one of the references used in the Office Action.  It would have been obvious to one of ordinary skill in the art to have used the featured taught by Morrissey, in order to detect untrusted applications.
"A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896,225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). "ELI LILLY AND COMPANY v BARR LABORATORIES, INC. United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


	Claims 1, 3, 6-7, and 9-20 are rejected under 35 U.S.C. 103 as being unpatentable over Das et al. US 2013/0097660 A1 (hereinafter Das) in view of Das et al. US 2013/0283377 A1 (hereinafter Das’77) in view of Morrissey et al. US 2014/0096246 A1 (hereinafter Morrissey) and further in view of  Dalcher et al. US 2013/0276120 A1 (hereinafter Dalcher).
Regarding claim 1, Das substantially discloses:
A system, comprising: at least one processor; and memory storing instructions configured to instruct the at least one processor to (Das: par. 13-14, 20, 30, Fig. 1, 2; the whitelist server 17 that maintains/updates a plurality of application whitelists identifying trusted applications, “each whitelist associated with a corresponding set of policies, and each set of policies associated with a corresponding entity”; “at least a portion of the whitelist can be downloaded to one or more mobile devices remote from the whitelist server. An update to the whitelist can be identified and the update can be automatically downloaded to the one or more mobile devices”; applications not on the white list are considered untrusted; blacklists can be used in addition to whitelists):
receive, from a first computing device, a first application identifier for a first application (Das: e.g. par. 17, 20, 22, 33, 51-52; sending with a query, by a (mobile) client device, a first application manifest, including an application identifier, to the whitelists server; where the application is not yet installed, or is already installed).
Das teaches that the application manifest includes inter alia, application developer identity, but he does not appear to assign significance to said developer Das'77 discloses that the metadata associated with an application is parsed to extract at least a source identifier and a digital signature of the application, both identifying the source of the application; the aforementioned is in addition to generating an application (key) identifier (e.g. par. 22-23, 33-34, 45). The application (identifier) key and the parsed metadata (collectively referred to as application identifier) are then transmitted to a server for evaluation (assessment) of the application status (state) (par. 12, 24, 34). Said application source identifier (or source identification based on the digital signature) effectively groups applications by origin (same developer/publisher) and is used to search (a list/records in) a database to “imply”/predict a status (state) for applications, based on the reputation of a particular source (publisher) of the application (par. 45). Hence, said list/records in the database, effectively represent white and black lists (of reputations) of application sources. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Das and Das’77 to at least determine application sources and to create whitelists/blacklists of application source reputations. One would have done so, at least to allow application classification (as trusted/untrusted) even when the application was not yet assessed (application not yet included in the whitelists/blacklists for individual applications, per Das’77: par. 45). In the context of Das, the whitelists/blacklists are stored in a database at or associated with the whitelists server and are cached in part, on the (mobile) devices; the application and source identifiers are used to search 
determine a first source identifier of the first application.
Das as modified above does not appear to expressly disclose, but, in a related application, Morrissey discloses: wherein the first source identifier is determined based on monitoring network activity associated with a network transmission that downloads the first application (“metadata and related information may be received, collected and/or captured by various routines, modules and/or applications that run on the mobile device 202. For example…the download manager 216 may be adapted to capture, download and/or collect metadata about the application package when the application package is downloaded, for example, the URL from where the application was downloaded and the name of the application and/or application package”; where the metadata may be captured from the protocol used to download the application (Morrissey: par. 33); and where the metadata includes, inter alia, “information related to the source of the application package (e.g., the download URL, the download IP address, etc.)” (Morrissey: par. 26)). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Das modified and Morrisey to at least capture application source identifiers and other metadata during the download of respective applications. One would have done so, to build the metadata (Morrisey: par. 33) necessary for evaluation of the application status 
Das as modified above does not appear to expressly disclose a second computing device as claimed. However, in a related application, Dalcher discloses a hierarchical architecture comprising an administrative super (root) server that communicates with other (lower level parent) servers (corresponding to the whitelists servers of Das: par. 20) of large to small entities (Fig. 4), to determine the state of data files and/or applications on user (endpoint) computing devices (e.g. Fig. 4, 5, 8). The administrative super server stores a master white and black lists (par. 87) and the lower level servers, as well as (user) endpoint devices, store partial white and black lists in local caches (par. 38, 82, 87; Fig. 5). In operation, a user computing (endpoint) device uses the local white and black lists to determine whether an executable file (application) is trusted (whitelisted) or untrusted (blacklisted); and further, to allow or deny execution of the application based on the determining, similar to Das (par. 81-84; Fig. 5). If the application status is not found in the local cache of white and black lists, a query is sent up the hierarchy to a (lower level) server and if necessary (in cases of failure to make a determination), the query is propagated up to the administrative super server (par. 85-87; Fig. 5). The response (answer) to the query is propagated down the hierarchy to the user (endpoint) computing device, and caches of the servers in the propagation path and of the user (endpoint) computing device are updated with (data in) the answer (e.g. par. 88-92; Fig. 5). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Das as modified above and Dalcher to at least implement the hierarchical architecture of Dalcher and to extend the 
send the first application identifier and the first source identifier over a network to a second computing device (When the first application is not found on the whitelists cached at the whitelist server, the application status query is propagated up to the administrative super server, as outlined above in view of Dalcher);
receive, from the second computing device, a first state designation for the first application (The administrative super server returns a response to the status query to the whitelist server, the response is additionally used to update the caches on the whitelists server and on the computing device (Dalcher: Fig. 5; and as outlined above), the first state designation representing a trusted state or an untrusted state (The response indicates a trusted or untrusted state (Das: e.g. par. 30));
in response to receiving the first state designation, set a second state designation; and send the second state designation to the first computing device (The response to the query from the administrative super server is sent to the whitelists server, which builds a message including the answer and sends it to the (endpoint) computing device (Dalcher: Fig. 5; and as outlined above). In addition and in one .
The aforementioned covers all the limitations of claim 1.

Regarding claims 3, 6-7, and 9-11, the rejection of claim 1 under 35 U.S.C 103 is incorporated herein. In addition, Das in view of Das’77, Morrisey and Dalcher discloses:
 (3) The first source identifier is determined by detecting the first source identifier on the first computing device (Das’77: e.g. par. 22-23, 33-34, 45; and as outlined for the rejection of claim 1).
(6) The first source identifier is an IP address, a domain, or a uniform resource locator (Das’77: par. 45; where a website is identified by a URL or a domain).
(7) The second computing device is configured to store a list of trusted source identifiers, and to store first data regarding at least one trusted application for each respective trusted source identifier of the list; and the first state designation is determined based on the first data (Das’77: par. 45; and as outlined for the rejection of claim 1). 
(9) Sending the second state designation to the first computing device causes the first computing device to set an application state to untrusted (Das: e.g. par. 30, 44, 48, 54. Das’77: e.g. par. 45; malicious state for the application).
(10) The first computing device is configured to, in response to receiving the second state designation, perform at least one of blocking installation of the first application, blocking execution of the first application, disabling execution of one or more components of the first application, denying the first application access to a network, or uninstalling the first application (Das: e.g. par. 14, 33, 37, 48. Das’77: e.g. par. 45).
(11) Determine that applications from the first source identifier are untrusted; determine that the first application is identical to a second application, wherein the second application is determined to be from a trusted source; and in response to determining that the first application is identical to the second application, set the second state designation to represent a trusted state (In a scenario, a trusted application, registered in the white lists of application identifiers and of application sources, is distributed from a new source; where the new source is not trusted or not yet registered in the white lists of application sources (and thus not trusted, per Das: par. 30, 33). However, if the new source distributes an identical copy of the trusted application, the application is found in the white lists of application identifiers (Das: e.g. par. 48. Das’77: e.g. par. 44) and is classified as trusted).

Regarding claims 12 and 20, they correspond to claim 1, and claims 12 and 20 do not disclose beyond the features of claim1. Therefore, claims 12 and 20 are rejected under 35 U.S.C 103, as being unpatentable over Das in view of Das’77 in view of Morrisey and further in view of Dalcher for the same reasons outlined for the rejection of claim 1.

claims 13-19, the rejection of claim 12 under 35 U.S.C 103 is incorporated herein. In addition, Das in view of Das’77, Morrisey and Dalcher discloses:
(13) The first computing device stores the first source identifier (Das: e.g. par. 51-52; application manifest (with source identifier) is stored on the first (mobile) device).
(14) Determining the first source identifier comprises monitoring activity for a second application that is associated with the first application identifier (Das: e.g. par. 21-22, 28, 52, 55, 81; Application information is obtained from various sources and application behavior analysis performed on copies of the application (with results included in the manifest)).
(15) Monitoring activity for the second application comprises monitoring network activity on a third computing device (Das: e.g. par. 55; “knowledge gained from monitoring application activity on anyone mobile device may be aggregated and analyzed against information about similar activity obtained from other mobile devices”).
(16) Monitoring activity for the second application comprises monitoring, in a virtual machine, behavior of the second application (Das: e.g. par. 28-29, 81; monitoring application behavior in a cloud environment).
(17) Prior to receiving the first application identifier, the first source identifier is determined to be trusted, and wherein the method further comprises: after receiving the first application identifier, determining that the first source identifier is untrusted based on behavior associated with the first source identifier; and in response to determining that the first source identifier is untrusted, setting the second state designation to represent an untrusted state (Das: e.g. par. 81; “any threat or vulnerability may be temporal in nature (e.g., if an application is interacting with an IP address that is trusted” to “untrusted”).
(18) Denying, based on the determined first source identifier, access by the first computing device to a network location associated with the first source identifier (Das: e.g. par. 13, 31-34; “The [application] whitelist can be one of a plurality of whitelists, each whitelist associated with a corresponding set of policies, and each set of policies associated with a corresponding entity”. A “reputation system can protect against end users downloading and/or installing applications…that do not conform to policies of the controlling entity, such as applications that are not included in an approved list of applications (i.e., a whitelist)”. When an application is not included in the application whitelist, the “mobile device 14 (e.g., through whitelist enforcement module 22) can terminate and/or block downloading of the application”. Das modified by Das’77, extends the aforementioned reputation system to the whitelists of application source identifiers, and thus, can block the application download even when the application was not yet assessed (application not yet included in the whitelists/blacklists for individual applications, per Das’77: par. 45)).
(19) The access by the first computing device to the network location is denied further based on a policy for the first computing device set by the second computing device (Das: e.g. par. 20, 29, 35, Fig. 1; “Policies in policies database 28 [at the second computing device] may be defined, associated with, assigned or applied by a service the second computing device] may provide appropriate policies, whitelists (e.g., whitelists 30), inventory exchange, corporate application reputation scores, etc. to suitable whitelist enforcement modules 22 on mobile devices (e.g., mobile device 14)”; A “reputation system can perform a database lookup and return a reputation score, or a qualitative assessment (e.g., derived based on policies in policies database 28)”).

	Claims 4-5 are rejected under 35 U.S.C. 103 as being unpatentable over Das in view of Das’77 in view of Morrisey in view of Dalcher and further in view of Baldi US 8,843,627 B1 (hereinafter Baldi).
	Regarding claims 4 and 5, the rejection of claim 1 under 35 U.S.C 103 is incorporated herein. Das modified does not expressly disclose that the first source identifier is determined by detecting code operating in the network path, as recited claims 4-5. However, Baldi discloses “a method, system, and computer readable medium for network traffic classification that can be applied to application/traffic profiling. Specifically, for each incoming flow observed on a network, a classifier attempts to map the flow to the application from which the flow is generated”; “a signature/fingerprint for an application is dynamically (i.e., while monitoring the traffic flows) extracted for the flows”; the identity of an (not yet known) application is “discovered from further analysis of the flows classified using the newly generated signatures/fingerprints (Baldi: col. 2 line 55-col. 3 line 10; col. 21 lines 47-64). A flow in the traffic network “is identified by a 5-tuple of &lt; source IP address, destination IP 
	(4 and 5) The first source identifier is determined by detecting code that operates in the network path from a network source to the first computing device, wherein the code is detected operating in a network device (Baldi: Fig. 1A; see Data collectors 114, server node 112, client node 113; and as outlined above).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Das in view of Das’77 in view of Morrisey in view of Dalcher and further in view of Kuo et al. US 2009/0083852 A1 (hereinafter Kuo).
Regarding claim 8, the rejection of claim 1 under 35 U.S.C 103 is incorporated herein. Das modified does not expressly disclose a plurality of install locations… However, Kuo discloses (e.g. par. 28, 30, 33) a whitelist server that “includes 
the first computing device is configured to use a plurality of install locations to install applications; the first application is to be installed in a first install location of the plurality of install locations; and the first state designation is determined based on the first install location (as outlined above). 



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.

Communications Inquiry
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADRIAN STOICA whose telephone number is (571)270-1955.  The examiner can normally be reached on Monday-Friday 9:30-6:00 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ADRIAN STOICA/Examiner, Art Unit 2494                                                                                                                                                                                                        
/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        3-19-2021