DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending.
The claim objections have been withdrawn in view of the claim amendment. 
The rejection of claims 3 and 16 under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, has been withdrawn in view of the claim amendment.

Examiner Note
In view of ¶18 of the published specification which states that "Host 102 can include bare metal components 112 such as a processor", the term "processor" recited in claim 14 has been interpreted as a physical hardware processor.

Response to Arguments
Applicant's arguments filed on 10/18/21 have been fully considered but are moot in view of the new grounds of rejection presented below in view of newly found prior arts.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 4-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Xu (US 10963565) in view of Feroz (US 20150339475) and further in view of Brickell (US 20060021029).

Claim 1, Xu discloses A method comprising: 
receiving, by a first computing environment of a computer, executable program code; (e.g. figs. 1, 5, col. 16, ll. 9-10: at 508, an application is downloaded to a computing environment of a device such as device 108)
providing, by the computer, the executable program code to a second computing environment separate from the first computing environment, (e.g. figs. 1, 5, col. 16, ll. 5-8, col. 16, ll. 66-col. 17, ll. 2: the application is transmitted from the device such as device 108 to the cloud security service 122) wherein an execution report that is associated with the executable program code is generated in response to executing the executable program code on the second computing environment; (e.g. figs. 1, 4, 5, col. 17, ll. 7-11, 28-30: the cloud security service 122 analyzes the received application using static analysis and dynamic analysis, generates a list of actions or behaviors taken by the app)
executing, by the first computing environment, the executable program code at a time subsequent to when the second computing environment generates the execution report; and receiving, by the computer, a signal indicating whether to restrict operations performed by the executable program code based on second information in the execution report. (e.g. col. 3, ll. 53-59, col. 8, ll. 45-49, col. 17, ll. 26-56, col. 18, ll. 11-18, 23-29: the device such as device 108 restricts actions or behaviors of the application based on the list of actions or behaviors taken by the app)

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Feroz into the invention of Xu for the purpose of denying and terminating request by executable code (Feroz, ¶40).
Although Xu discloses subsequently restricting actions or behaviors of the application to only those allowable actions or behaviors (execution repot), Xu does not appear to explicitly disclose that the list of allowable actions or behaviors is isolated from the first computing environment.  However, Brickell discloses a technique to improve the security of a computing platform wherein a list of allowable activities by an application being executed within a sandbox virtual machine is maintained in an enforcer virtual machine and isolated from the sandbox virtual machine (e.g. ¶13, 29, 39).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Brickell into the invention of Xu-Feroz for the purpose of protecting the list of allowable actions or behaviors (execution report) from unauthorized modification or corruption by application(s) in the sandbox virtual machine thereby improving the security of the system.

Claim 2, Xu-Feroz-Brickell discloses The method of claim 1, wherein the second information relates to operations performed by the executable program code when executed on the second computing environment so that operations performed by the executable program code when executing on the first computing environment are limited to operations that were performed on the second computing environment. (Xu, e.g. col. 3, ll. 42-47, 53-59, col. 8, ll. 45-49, col. 17, ll. 26-56, col. 18, ll. 11-18, 23-29).  

Claim 4, Xu-Feroz-Brickell discloses The method of claim 1, further comprising during execution of the executable program code: detecting an operation to be performed by the executable program code; and executing the detected operation only when the second information in the execution report indicates that the detected operation was performed on the second computing environment. (Xu, e.g. col. 3, ll. 42-47, 53-59, col. 8, ll. 45-49, col. 17, ll. 26-56, col. 18, ll. 11-18, 23-29).  

Claim 5, Xu-Feroz-Brickell discloses The method of claim 1, further comprising determining whether the executable program code is identified in a list of known executable program code and providing the executable program code to the second computing environment in response to the executable program code not being in the list. (Xu, e.g. col. 16, ll. 42-54, 65-66). 

Claim 6, Xu-Feroz-Brickell discloses The method of claim 1, further wherein the first information is provided to the second computing environment in response to an attempt to execute the executable program code on the first computing environment for a first time. (Feroz, e.g. fig. 3, ¶30-31, 33, 36).  Same motivation as in claim 1 would apply.

Claim 7, Xu-Feroz-Brickell discloses The method of claim 1, further comprising receiving an indication from the second computing environment that the second computing environment generated the execution report. (Xu, e.g. fig. 5, col. 3, ll. 42-47, 53-59, col. 8, ll. 45-49, col. 17, ll. 26-56, col. 18, ll. 11-18, 23-29).  

Claim 8, Xu-Feroz-Brickell discloses The method of claim 1, further comprising receiving the execution report from the second computing environment. (Xu, e.g. fig. 5, col. 3, ll. 42-47, 53-59, col. 8, ll. 45-49, col. 17, ll. 26-56, col. 18, ll. 11-18, 23-29).  

Claims 9 and 14, these claims are rejected for similar reasons as in claim 1.

Claims 10 and 15, these claims are rejected for similar reasons as in claim 2.

Claims 11 and 17, these claims are rejected for similar reasons as in claim 4.

Claims 12 and 18, these claims are rejected for similar reasons as in claim 5.

Claim 19, this claim is rejected for similar reasons as in claim 7.

Claims 13 and 20, these claims are rejected for similar reasons as in claim 8.

Claims 3 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Xu (US 10963565) in view of Feroz (US 20150339475) in view of Brickell (US 20060021029) and further in view of Kohavi (US 20180046799).

Claim 3, Xu-Feroz-Brickell discloses The method of claim 2, wherein the second information includes file-related operations and network access operations. (Xu, e.g. col. 17, ll. 28-56).  Same motivation as in claim 1 would apply.
Xu-Feroz-Brickell does not appear to explicitly disclose but Kohavi discloses system configuration operations (e.g. ¶58, 67).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Kohavi into the invention of Xu-Feroz-Brickell for the purpose of monitoring and restricting OS activity of the application.

Claim 16, this claim is rejected for similar reasons as in claim 3.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 


US 20200210571 discloses receiving executable file (object) by virtual machine 103, providing the executable file (the object) to analyzer 201 of a separate security virtual machine 102 for scanning or analysis (e.g. an analysis of an object based on an events log, the events log containing all events occurring during an emulation of a code of the object; and an analysis of an object in a safe isolated environment (a sandbox), the analysis of the object in the safe isolated environment including execution of the object in the safe isolated environment) to generate information about the result of the scan, and information about result of previous scan of an executable file (object) is maintained in database 202 of the separate security virtual machine 102 isolated from the virtual machine 103 at which the executable file (the object) is located (e.g. figs. 1-2, ¶26, 31-32, 34, 38, 43, 45, 52).


US 20200210591 discloses the hypervisor 115 contains an interceptor 130 (the interceptor 130 is a module, a component, or a functional part of the hypervisor 115). The interceptor 130 intercepts the calls of API functions by the threads of the process created upon opening the file 100 in the virtual machine 120, and reads the context of the processor on which the thread which was calling the API function is being executed. It should be noted that the processor context contains at least the values of the processor registers. In one aspect, the interceptor 130 also reads the contents of the stack of function calls using previously read data contained in the processor registers pertaining to the stack (for example, memory address from the registers Extended Stack Pointer (ESP) and Extended Base Pointer (EBP)). Furthermore, the interceptor 130 aggregates the aforementioned data, saves the aggregated data (for example, in a database or in the log 150), and sends the saved data to the security module 110 after executing the process created upon opening the file 100. In turn, the security module 110 gives a verdict as to the maliciousness of the file 100 on the basis of the data from the interceptor 130. (¶37-38).


US 20190364047 discloses thin agent 234 is configured to intercept network events (e.g., network connection events), file events (e.g., file access events), system events, etc. that are generated due to calls made by applications, such as browser 232, running in VM 230 and deliver information (e.g., a type of the event, network addresses associated with the event, file names associated with the event, file locations associated with the event, etc.) about such events to the SVM 240 as further discussed herein…Accordingly, thin agent 234 indicates to the operating system whether or not to allow the event to occur, and the operating system either allows or denies the event for the application that made the call. Thin agent 234 is configured to communicate with SVM 240 in order to make an enforcement decision as to whether or not to allow the event to occur, as further discussed herein, and then indicate the enforcement decision to the operating system. (¶18).


Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:30 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436