Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The IDS filed 5/21/19 has been considered and entered.

Drawings
The drawings filed 5/21/19 are accepted.
Specification
The specification filed 5/21/19 is accepted.



EXAMINER'S AMENDMENT

An examiner' s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner' s amendment was given in an interview with Andrew T. Spence
on 9-24-2021

The application has been amended as follows: 



a memory configured to store computer-readable program code; 
a plurality of resources including networking resources; and
processing circuitry configured to access the memory, and 
execute the computer- readable program code to cause the computer to at least: 

receive a non-executable computer file comprising one of an image file, an audio file, or a video file; 

scan, via anti-malware, the computer file for known malicious software; 

and in response to the scan via the anti-malware failing[[s]] to detect known malicious software in the computer file, perform the following steps: 
perform a dynamic operating-system-level containerization to access content contained in [[of]] the computer file comprising:[[,]]

a plurality of  isolated containers,  each container being an operating system level virtualization and  being allocated a different respective portion of the plurality of resources selected to mimic different configurations of the computer   

locate an application program designed to open and operate the contained content, the application program including second computer-readable program code;

install the located application program in each of the isolated containers including allocating a respective portion of the networking resources to the each isolated container;

for each isolated container:
use the allocated respective portion of the plurality of resources to establish one of the different configurations within the each isolated container to mimic a corresponding configuration of the computer;
	
access the content of the computer file in the each isolated container on the computer by opening and operating the contained content using the application; 

monitor execution of second computer-readable program code in the isolated container as the content of the computer file is accessed including during the opening and operating; 

quantify a pattern in the execution during the operating;

determine that the pattern indicates that the computer file contains malicious software by determining that the pattern diverges from known rules of code execution of the located application, wherein the pattern includes at least one of capturing of cpu interrupt service routines, becoming memory resident on termination, or overwriting portions of the applications virtual storage device;[[and]] 

in response to the determining, perform the following steps:
perform a remedial action including quarantining the computer file to prevent access to the computer file from outside the each isolated container; 

report the computer file and the pattern to a repository of known malicious software;

compare the pattern with known patterns of malicious execution stored in the repository;

categorized the determined malicious software in a category of malicious software;

wherein when the comparison includes a determination that the pattern is known to the repository, the reporting includes reporting the computer file and the pattern in the category; and 

wherein when the comparison includes a determination that the pattern is unknown to the repository, the reporting includes adding the category to the repository and reporting the computer file and the pattern in the category;









 comprising: 
a memory configured to store computer-readable program code; 
a plurality of resources including networking resources; and
processing circuitry configured to access the memory, and 
execute the computer-readable program code to cause the computer implement the method to at least: 


receive a non-executable computer file comprising one of an image file, an audio file, or a video file; 

scan, via anti-malware, the computer file for known malicious software; 

and in response to the scan via the anti-malware failing to detect known malicious software in the computer file, perform the following steps: 
perform a dynamic operating-system-level containerization to access content contained in the computer file comprising:

create and launch [[an]] a plurality of  isolated containers,  each container being an operating system level virtualization and  being allocated a different respective portion of the plurality of resources selected to mimic different configurations of the computer ; 

locate an application program designed to open and operate the contained content, the application program including second computer-readable program code;

install the located application program in each of the isolated containers including allocating a respective portion of the networking resources to the each isolated container;

for each isolated container:
use the allocated respective portion of the plurality of resources to establish one of the different configurations within the each isolated container to mimic a corresponding configuration of the computer;
	
access the content of the computer file in the each isolated container on the computer by opening and operating the contained content using the application; 

monitor execution of second computer-readable program code in the isolated container as the content of the computer file is accessed including during the opening and operating; 

quantify a pattern in the execution during the operating;

determine that the pattern indicates that the computer file contains malicious software by determining that the pattern diverges from known rules of code execution of the located application, wherein the pattern includes at least one of capturing of cpu interrupt service routines, becoming memory resident on termination, or overwriting portions of the applications virtual storage device;[[and]] 

in response to the determining, perform the following steps:
perform a remedial action including quarantining the computer file to prevent access to the computer file from outside the each isolated container; 

report the computer file and the pattern to a repository of known malicious software;

compare the pattern with known patterns of malicious execution stored in the repository;

categorized the determined malicious software in a category of malicious software;

wherein when the comparison includes a determination that the pattern is known to the repository, the reporting includes reporting the computer file and the pattern in the category; and 

wherein when the comparison includes a determination that the pattern is unknown to the repository, the reporting includes adding the category to the repository and reporting the computer file and the pattern in the category.


 




Allowable Subject Matter
Claims 1-24 are allowed.

The following is an examiner' s statement of reasons for allowance: 
Malik et al  (US 9690936  ) discloses in Fig 4 400 a static malware scan that if unsuccessful Fig 4 410 results in a dynamic malware scan Fig 4 440.

Huang et al  (US 9117079  ) discloses receiving a file, locating an application, installing the application in an isolation container, operating on the file, and monitoring the behavior of the application to determine if the file is malicious.  see  C5 20-30, C6 25-30, and C8 15-25 .

Alagna et al ( US 2004/0098607) discloses valid program detection routines and Trojan detection routines that gather information about the programs and looking for information about the program in the operating system.  see [0029]

The prior art of record does not explicitly disclose in light of the other features recited in the independent claims, 
creating and launching a plurality of isolated containers

install the located application program in each of the isolated containers including allocating a respective portion of the networking resources to the each isolated container;

for each isolated container:
use the allocated respective portion of the plurality of resources to establish one of the different configurations within the each isolated container to mimic a corresponding configuration of the computer;

access the content of the computer file in the each isolated container on the computer by opening and operating the contained content using the application; 

determine that the pattern indicates that the computer file contains malicious software by determining that the pattern diverges from known rules of code execution of the located application, wherein the pattern includes at least one of capturing of cpu interrupt service routines, becoming memory resident on termination, or overwriting portions of the applications virtual storage device;

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD A MCCOY whose telephone number is (313)446-6520.  The examiner can normally be reached on M - F 10 - 6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner' s supervisor, Lynn Feild can be reached on 571 272 2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/RICHARD A MCCOY/Examiner, Art Unit 2431