DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
This allowance is in response to the Patent Board Decision where the Examiner was reversed on 03/19/2021. All prior art rejections were withdrawn. 

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Champagne Mac (Reg. No: 73,529) on 03/19/2021.  

CLAIMS
4.	The application has been amended as follows: 

1.	(Currently Amended) A system comprising:
a processor;
a memory coupled to the processor;

the security agent component configured to be operated by the processor to set intercepts for memory locations of the determined subset of memory locations and to set the intercepts by redirecting from the subset of memory locations to different memory locations.

2.	(Original) The system of claim 1, wherein the security agent component is further configured to set the intercepts by setting privilege attributes for pages which include the memory locations of the determined subset of memory locations.

3.	(Canceled) 

4.	(Original) The system of claim 1, wherein the security agent is further configured to initiate the security agent component as the hypervisor by storing processor state settings in a data structure and instructing the processor to initiate the security agent component as the hypervisor based on the data structure.

5.	(Original) The system of claim 4, wherein the security agent includes different routines for different operating systems, each of the different routines fixing as invariant a part of the data structure associated with the respective different operating system.



7.	(Canceled) 

8.	(Original) The system of claim 1, wherein the security agent is further configured to request that an operating system kernel of the system lock page table mappings of the memory locations of the subset of memory locations.

9.	(Original) The system of claim 1, wherein the security agent is further configured to determine instructions to be intercepted and the security agent component is further configured to set intercepts for the determined instructions.

10.	(Original) The system of claim 1, wherein the security agent component is further configured to remove intercepts corresponding to a process upon termination of the process.

11.	(Previously Presented) A non-transitory computer-readable medium having stored thereon executable instructions which, when executed by a computing device, cause the computing device to perform operations comprising:
identifying, by a security agent implemented on the computing device, memory locations of a subset of memory locations in memory of the computing device to be intercepted;

setting, by the security agent component, privilege attributes of the pages to prevent specific types of operations from affecting the memory locations; 
noting, by the security agent component, an operation affecting another memory location associated with one of the pages which differs from the identified memory location associated with that page; and
temporarily resetting, by the security agent component, the privilege attribute of the one of the pages to allow the operation.

12.	(Original) The non-transitory computer-readable medium of claim 11, wherein the identified memory locations include a memory location associated with privileges for a process and the setting includes setting the privilege attribute for the page including the memory location to a read-only value to prevent writes to the memory location.

13.	(Original) The non-transitory computer-readable medium of claim 11, wherein the identified memory locations include a memory location associated with user credentials and the setting includes setting the privilege attribute for the page including the memory location to an inaccessible value to prevent reads of the memory location.

14.	(Previously Presented) A computer-implemented method comprising:
identifying, by a security agent implemented on a computing device, memory locations of a subset of memory locations in memory of the computing device to be intercepted;

setting, by the security agent component, privilege attributes of the pages to prevent specific types of operations from affecting the memory locations; 
noting, by the security agent component, an operation affecting one of the identified memory locations;
in response to noting the operation, either:
temporarily resetting, by the security agent component, the privilege attribute of the page including the one of the identified memory locations to allow the operation, or
returning, by the security agent component, a false indication of success for the operation.

15.	(Original) The method of claim 14, wherein the operation is a write operation, the one of the identified memory locations is a memory location associated with privileges for a process and the setting includes setting the privilege attribute for the page including the one of the identified memory locations to a read only value to prevent write operations to the one of the identified memory locations.

16.	(Original) The method of claim 15, wherein the returning the false indication of success includes allow the write operation to an alternate memory location and returning an indication that the write operation was successful.



18.	(Original) The method of claim 17, further comprising causing the read operation to be performed on an alternate memory location storing false or deceptive user credentials.

19.	(Original) The method of claim 18, further comprising monitoring use of the deceptive credentials.

20.	(Original) The method of claim 18, further comprising copying contents of the page including the one of the identified memory locations to a page which includes the alternate memory location storing the false or deceptive user credentials.

21.	(Original) The method of claim 14, further comprising identifying a process, thread, or module that requested the operation.

22.	(Original) The method of claim 21, further comprising, after temporarily resetting the privilege attribute, monitoring activities of the process, thread, or module.



24.	(New) A system comprising:
a processor;
a memory coupled to the processor;
a security agent configured to be operated by the processor to initiate a security agent component as a hypervisor for the system and determine a subset of memory locations in the memory to be intercepted; and
the security agent component configured to be operated by the processor to set intercepts for memory locations of the determined subset of memory locations and to intercept page out requests and prevent paging out of memory pages which include the memory locations that are to be intercepted, or to intercept page in requests in order to update knowledge of memory locations.


Examiner’s Statement of Reasons for Allowance
5.	1-2, 4-6 and 8-24 are allowed. 
6.	The present invention is directed to: a security agent configured to initiate a security agent component as a hypervisor for a computing device is described herein. The security agent is further configured to determine a subset of memory locations in memory of the computing device to be intercepted. The security agent component may then set intercepts for the determined memory locations. Setting such intercepts may 
The closest prior art, as previously recited, are Cui et al (“Cui,” US 20130152207). Newly discovered prior art includes: Bacher et al (“Bacher,” US 20170177392) and Epstein et al (“Epstein,” US 20150261690), 
Cui is directed to: technologies pertaining to detecting accesses to monitored regions of memory and transmitting data to a protection system responsive to the detecting are described herein. A region of memory that includes objects in an object graph utilized by an operating system to determine which processes to execute and an order to execute such processes is monitored. If a process executing on a processor attempts to write to an object in the object graph, a field that is being written to is identified, and a determination is made regarding whether the field includes a pointer. Based upon whether the field includes a pointer, a type of write desirably undertaken by the object is ascertained, and an object event is transmitted to the protection system that informs the protection system of the type of write.
Bacher is directed to: a method and system for transparent secure interception handling is provided. The method and system include deploying a virtual machine (VM) in 
Epstein is directed to: a data processing method comprises implementing a memory event interface to a hypercall interface of a hypervisor or virtual machine operating system to intercept page faults associated with writing pages of memory that contain a computer program; receiving a page fault resulting from a guest domain attempting to write a memory page that is marked as not executable in a memory page permissions system; determining a first set of memory page permissions for the memory page that are maintained by the hypervisor or virtual machine operating system; determining a second set of memory page permissions for the memory page that are maintained independent of the hypervisor or virtual machine operating system; determining a particular memory page permission for the memory page based on the first set and the second set; processing the page fault based on the particular memory page permission, including performing at least one security function associated with regulating access of the guest domain to the memory page.

Regarding claim 11: none of the cited prior art teaches or suggests the steps of: setting, by the security agent component, privilege attributes of the pages to prevent specific types of operations from affecting the memory locations;  noting, by the security agent component, an operation affecting another memory location associated with one of the pages which differs from the identified memory location associated with that page; and temporarily resetting, by the security agent component, the privilege attribute of the one of the pages to allow the operation.
Regarding claim 14: none of the cited prior art teaches or suggests the steps of: setting, by the security agent component, privilege attributes of the pages to prevent specific types of operations from affecting the memory locations; 
noting, by the security agent component, an operation affecting one of the identified memory locations; in response to noting the operation, either: temporarily resetting, by the security agent component, the privilege attribute of the page including the one of the identified memory locations to allow the operation, or returning, by the security agent component, a false indication of success for the operation.

Therefore, the claims are allowable over the cited prior art. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774.  The examiner can normally be reached on M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JAMES J WILCOX/           Examiner, Art Unit 2439 



/LUU T PHAM/           Supervisory Patent Examiner, Art Unit 2439