DETAILED ACTION
Notice of Pre-AIA  or AIA  Status

1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Amendment
2. This is in response to the amendments filed on 1/19/2021. Claims 1 - 8 have been previously presented. Claims 1-8 are currently pending and have been considered below.

Terminal Disclaimer
3. The terminal disclaimer filed on 01/19/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of US Patent No. 10534909 has been reviewed and is accepted.  The terminal disclaimer has been recorded.


Examiner’s Amendment
4. An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.



Please amend only claim 1 as follows:
1. (Currently amended) A non-transitory computer- readable media storing source code that, when executed by a processor, performs a method comprising:
receiving, by a virtual sandbox appliance, a file that has been tagged by a network security device based on one or more of an application to which the file pertains and a threat-level associated with the file as determined by a pre-filtering process performed on the file by the network security device, wherein a virtual multi-tiered sandbox appliance includes a plurality of virtualization layers each having different resource requirements and wherein the plurality of virtualization layers include:
a virtualization application based environment, representing a least resource
intensive virtualization layer of the plurality of virtualization layers and acting as an
intermediary between executable code, an operating system (OS) application programming interface (API), and an instruction set of a particular computer architecture; 
a full hypervisor based environment, representing a most resource intensive virtualization layer of the plurality of virtualization layers; and 
a container-based environment, representing an intermediate resource intensive virtualization layer of the plurality of virtualization layers; 
causing, by the virtual sandbox appliance, the file to exhibit a first set of behaviors by running the file within the virtualization application based environment;
causing, by the virtual sandbox appliance, the file to exhibit a second set of behaviors by running the file within the container based environment;
determining, by the virtual sandbox appliance, differences, if any, between the first set of behaviors and the second set of behaviors; and
 classifying, by the virtual sandbox appliance, the file as malicious when the differences are greater than a predefined or configurable threshold.

Allowable Subject Matter
5.    Claims 1-8 are allowed as amended.

Examiner Reason for Allowance
6.    The following is an examiner’s statement of reasons for allowance: This instant application conveys the allowable subject matter of US Patent No. 10534909.  Moreover, the examiner finds novel the feature whereby a file that has been tagged by a network security device based on one or more of an application to which the file pertains and a threat-level associated with the file as determined by a pre-filtering process performed on the file by the network security device.  The closest prior art being "Martini" (US 20170041338 A1), “Titonis” (US20180025157 A1), “Li” (US 200080039779 A1), “Gupta” (US 20180165177 A1), “Willoughby” (US 20080133616 A1) and newly searched “Aswathanarayana” (US 20170041189 A1). Martini discloses a method is performed by data processing apparatus. The method includes identifying application signatures each representing one or more software applications, each application signature including a total score threshold and one or more operation sequences each including a plurality of sequence operations, wherein each sequence Titonis discloses a system for providing an automated means to identify malicious applications. Thousands of malware, a number always increasing, are found in the wild that make their way from thousands of points of origin to millions of users. A malware analyst is notified of the questionable application when enough users complain, or alternatively if a malware analyst is scouting the market sites by hand or through some primitive automation. If the malware analyst dissects the application properly, it may find the static code signature, system calls, or even the network behavior, that prompted the users to complain. Li discloses methods, and computing devices (e.g., mobile or other resource-constrained computing devices, etc.) configured to implement the methods, for efficiently identifying, predicting and responding to non-benign applications (e.g., malware, etc.) or device behaviors that could have a negative impact on the performance and/or power consumption characteristic of the computing device over time. Gupta discloses systems and methods for debugging a web service request that is dispatched to one of a set of candidate processing environments. A method embodiment commences upon detecting a web service request that is dispatched from a dispatcher or load balancer to a target web service provider. Upon detection, one or more rules are applied over the web service request to determine if the particular request is intended to be intercepted and operated over in a debug session. Willoughby discloses methods, apparatus and 

7. What is missing from the prior art of record is a non-transitory computer-readable storage media that includes the allowable subject matter of US Patent No. 10534909  and the novel feature whereby a file that has been tagged by a network security device based on one or more of an application to which the file pertains and a threat-level associated with the file as determined by a pre-filtering process performed on the file by the network security device.

Thus the prior art does not teach or suggest, either individually or in combination, the subject matter as claimed in claim1. Therefore claim 1 is deemed allowable over the .

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 5:30 a.m. to 2:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO 
 /WILLIAM B JONES/Examiner, Art Unit 2491
/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491