Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

DETAILED ACTION
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-14 are rejected under 35 U.S.C. 102 (a)(2) as being anticipated by US 20210117544 A1 to Kurtz.
 Claim 1
Kurtz teaches a method comprising:
receiving, by a sandbox service associated with a network security platform protecting an enterprise network, from an endpoint security solution of the network security platform running on an endpoint device of the enterprise network, a file associated with sandbox-evading malware to be classified by the sandbox service and contextual information related to the file; [e.g. Kurtz – Para. 0024, 0100, 0103 – Kurtz discloses providing a file and context data (e.g. contextual information) related to the file. ] and
classifying, by the sandbox service, the file as being malware by detonating the sandbox-evading malware as a result of performing sandboxing on the file including emulating an environment of the endpoint device based on the contextual information. [e.g. Kurtz – Para. 0055, 0104, 0105, 0113, 0119, 0120 – Kurtz discloses detonating the file in a sandbox environment based on the context data and classifying the file. ]

Claim 2
Kurtz teaches the method of claim 1, wherein the contextual information is captured by the endpoint security solution responsive to detection of a suspicious or malicious event detected by the endpoint security solution that relates to a process running on the endpoint device that is associated with the file. [e.g. Kurtz – Para. 0052, 0099, 0100. ]


Claim 3
Kurtz teaches the method of claim 2, wherein the contextual information includes: command line information associated with the process; an execution chain associated with the process; information indicative of an application with which the process is associated; operating system version; file name and path; loaded dynamic linked library (DLL) files and respective names and paths; network domain name; original geo-location and time-zone; information identifying an end user associated with the process; or environment variables associated with the process. [e.g. Kurtz – Para. 0051 – Kurtz discloses various contextual information including command line, file path, filename, time, username, etc. ]

Claim 4
Kurtz teaches the method of claim 2, wherein the process being executed on the endpoint device is at least one of a file, a document, an application, an electronic mail, and an executable code. [e.g. Kurtz – Para. 0030, 0101, 0102. ]

Claim 5
Kurtz teaches the method of claim 1, wherein the emulation includes mirroring, by the sandbox service, of the environment of the endpoint device based on the contextual information related to the file. [e.g. Kurtz – Para. 0055. ]

Claim 6
Kurtz teaches the method of claim 1, wherein the network security platform is associated with a cloud-based security service. [e.g. Kurtz – Para. 0024, 0042. ]
Claim 7
Kurtz teaches the method of claim 1, wherein the sandbox service is in a form of a virtual sandbox appliance. [e.g. Kurtz – Para. 0042, 0055, 0123 ]


Regarding claims 8-14 they are manufacture claims essentially corresponding to the above recitations, and they are rejected, at least, for the same reasons.
Conclusion



The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Please check attached PTO-892 form for any additional references.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER C HARRIS whose telephone number is (571)270-7841.  The examiner can normally be reached on Monday through Friday between 8:00 AM to 4:00 PM CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/CHRISTOPHER C HARRIS/Primary Examiner, Art Unit 2432