Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
           This action is in response to the communication filed on 11/29/2021. 
Claims 21-35, 37-39 are allowed. 
Claims 1-20, 36 and 40 are cancelled.
 
Allowable Subject Matter
Claims 21-35, 37-39 are allowed. 

Terminal Disclaimer
The terminal disclaimer filed on 11/29/2021 disclaiming the terminal portion of any patent granted on this application has been reviewed and is accepted.  
The terminal disclaimer has been recorded.

			EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  
the applicant’s representative, Mr. Robert Mazzarese on 1/10/2022. 

CLAIM LISTING

This listing of claims will replace all prior versions, and listings, of claims in the application:

1-20.	(Canceled) 

21.  (Previously Presented) A system for threat detection, the system comprising:
a gateway in an enterprise, the gateway including a memory, and the gateway configured to detect a request for network traffic from an endpoint in the enterprise, the request including a destination address and the request containing a violation of a network policy for the enterprise, the gateway further configured to identify the endpoint that originated the request, and to query the endpoint to determine a source process of the request executing on the endpoint and one or more files on the endpoint operated on by the source process; and
a threat management facility for managing the enterprise, the threat management facility coupled in a communicating relationship with the gateway, and the threat management facility configured to locate one or more other endpoints associated with the enterprise that contain the one or more files, and to cause the one or more other endpoints to change a local reputation of the one or more files on the one or more other endpoints.

22.  (Previously Presented) The system of claim 21, wherein the violation includes at least one of a prohibited Uniform Resource Identifier in the destination address, a prohibited domain in the destination address, prohibited content in the request, command and control protocol traffic for an advanced persistent threat, or a command and control location for an advanced persistent threat.



24.  (Previously Presented) The system of claim 21, wherein the threat management facility is configured to remediate the one or more other endpoints by quarantining the source process on each of the one or more other endpoints.

25.  (Previously Presented) The system of claim 21, wherein the threat management facility is configured to remediate the one or more other endpoints by terminating the source process on each of the one or more other endpoints.

26.  (Previously Presented) The system of claim 21, wherein the threat management facility is configured to remediate the one or more other endpoints by removing the one or more files on each of the one or more other endpoints.

27.  (Previously Presented) The system of claim 21, wherein the threat management facility is configured to remediate the one or more other endpoints by blocking network traffic for the one or more other endpoints.

28.  (Previously Presented) The system of claim 21, wherein the threat management facility is configured to remediate the one or more other endpoints with respect to the one or more files. 

29.  (Previously Presented) The system of claim 28, wherein the threat management facility is configured to remediate the one or more other endpoints with respect to the one or more files by blocking access to the destination address by the one or more other endpoints.

30.  (Previously Presented) The system of claim 21, wherein the gateway is configured to identify the endpoint based on a machine ID for the endpoint within a heartbeat received at the gateway from the endpoint.



32.  (Previously Presented) The system of claim 21, wherein the gateway is configured to determine the source process by querying a list, maintained on the endpoint, of network requests from processes executing on the endpoint for entries corresponding to a time of the request.

33.  (Currently Amended) A computer program product comprising non-transitory computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices in an enterprise managed by a threat management facility, performs steps including:
	detecting a request for network traffic at a gateway associated with the enterprise, the request including a destination address and the request containing a violation of a network policy for the enterprise;
	identifying an endpoint coupled to the gateway that originated the request;
	querying the endpoint from the gateway to determine a source process of the request on the endpoint and one or more files on the endpoint operated on by the source process;
	locating one or more other endpoints managed by the threat management facility that contain the one or more files; and
	remediating the one or more other endpoints by changing a reputation of the one or more files on the one or more other endpoints.

34.  (Previously Presented) The computer program product of claim 33, wherein the violation includes one or more of a prohibited Uniform Resource Identifier in the destination address, prohibited content in the request, or command and control protocol traffic for an advanced persistent threat.

35.  (Previously Presented) The computer program product of claim 33, wherein the gateway is configured to identify the endpoint based on a machine ID for the endpoint within a heartbeat received at the gateway from the endpoint.

36.  (Canceled) 

	detecting a request for network traffic at a gateway associated with an enterprise managed by a threat management facility, the request including a destination address and the request containing a violation of a network policy for the enterprise;
	identifying an endpoint coupled to the gateway that originated the request;
	querying the endpoint from the gateway to determine a source process of the request on the endpoint and one or more files on the endpoint operated on by the source process;
	locating one or more other endpoints managed by the threat management facility that contain the one or more files; and
	remediating the one or more other endpoints by changing a reputation of the one or more files on the one or more other endpoints. 

38.  (Previously Presented) The method of claim 37, wherein the violation includes one or more of a prohibited Uniform Resource Identifier in the destination address, prohibited content in the request, or command and control protocol traffic for an advanced persistent threat.

39.  (Previously Presented) The method of claim 37, wherein the gateway is configured to identify the endpoint based on a machine ID for the endpoint within a heartbeat received at the gateway from the endpoint.

40.  (Canceled) 

Prior Art of Record
            The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Marion et al US Patent 9,060,017
Davis et al US Patent 9,191,399 teaches detection of malicious packets based on source and destination address with user authorization. 
Steinberg et al US Patent 9,374,374 teaches protecting of user data with parameters such as location data, SSN, financial data and other sensitive information. 
Delatorre et al US Patent 9,055,090 teaches protection against security attacks with traffic monitoring during network event. 
Chow et al US Patent 8,020,207 teaches malware detection and response system based on traffic patter anomalies with variety of protocols.  
Qiu et al US Patent 8806630 teaches intrusion protection for improper network usage to protect service platform with protocol transactions.
Dennerline et al US Publication 2010/0125900 teaches intrusion prevention with packet analysis in relation to intrusions. 
                                 
REASONS FOR ALLOWANCE
          The following is an examiner’s statement of reasons for allowance:
Examiner finds amended claims dated 1/10/2022 are persuasive for reason of allowance.  
The prior art of record does not explicitly disclose, in light of other features recited in independent claims 21, 33 and 37 as follows :
Claims ‘ .. a gateway in an enterprise, the gateway including a memory, and the gateway configured to detect a request for network traffic from an endpoint in the enterprise, the request including a destination address and the request containing a violation of a network policy for the 
a threat management facility for managing the enterprise, the threat management facility coupled in a communicating relationship with the gateway, and the threat management facility configured to locate one or more other endpoints associated with the enterprise that contain the one or more files, and to cause the one or more other endpoints to change a local reputation of the one or more files on the one or more other endpoints.’ with additional detailed steps in claim(s) as described in independent claim(s) on 1/10/2022. 

However, each of the cited references or reference from the updated search, at least, fails to teach or suggest in combination with the rest of the limitations recited in the independent claim(s).
None of the previous cited prior art references or reference(s) from the updated search yield any specific references that would reasonably, either singularly or in combination with previous cited reference, result a reasonable and proper rejection for each of the cited feature limitations of the independent claim(s) under 35 U.S.C. 102 or 35 U.S.C. 103 with proper motivation.
Dependent claims depend on allowed independent claims, therefore they are allowed. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIRAL S LAKHIA whose telephone number is (571)270-3363.  The examiner can normally be reached on 8 am - 6 pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/VIRAL S LAKHIA/Examiner, Art Unit 2431