DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 20–39 are pending for examination in the filed on 01/252022.


Claim Objections
3.	Claim 37 is objected to because of the following informalities:

Claim 37 appears to be dependent from claim 31 and should recited “The method of claim 31 ....”  Appropriate correction is required.

For purposes of examination, claim 37 will be to be dependent upon claim 31.


Double Patenting
4.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

5.	Claims 20–39 are provisionally rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 20, 22–30, and 32–39 of copending Application No. 17/400,364, in view of Bahl, US 2008/0189788 A1.
This is a provisional statutory double patenting rejection since the claims directed to the same invention have not in fact been patented.



Claim ___ of instant application, No. 17/361,861
Is not patentably distinct from claim ___ of copending application no. 17/400,364
20  (system)
20
21
27
22
22
23
23
24
24
25
25
26
26
27
27
28
28
29
29
30  (method)
30
31
37
32
32
33
33
34
34
35
35
36
36
37
37
38
38
39  (computer program product)
39



Additionally, as to claims 20, 30 and 39, copending application no. 17/400,364 also does not fully disclose:
determine a risk level of the virtual machine; and ... wherein the alerts are filtered and prioritized based on the determined risk level of the virtual machine.”

Bahl however teaches or suggests:
“determine a risk level of the virtual machine”
(Fig. 6 and ¶ 83: determined whether a change in the security state of the system has occurred ... If a change in the security state has occurred;
Fig. 7A and ¶¶ 86–87: At a step 702, a change in the security state is detected. After the step 702, processing proceeds to a step 704 at which the security state is assessed. After the step 704, processing proceeds to a step 706 where a tiered set of actions are caused to be performed. The tiered set of actions may be performed automatically following the assessment of the security state); and

“wherein the alerts are filtered and prioritized based on the determined risk level of the virtual machine”
Fig. 7A and ¶¶ 86–87: The tiered set of actions may be performed automatically following the assessment of the security state;
Fig. 4 and ¶ 66–67: Based on the risk level, the action taken by RM may include one or more of the identified actions and/or other actions. As the risk level increases, the actions taken may be cumulative of all actions taken at lower risk levels .... Generate alerts-Various types of alerts may be generated ranging from visual cues provided on the task bar to sending high-priority alerts).

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bahl with the claimed invention of copending application no. 17/400,364.  The motivation or advantage to do so is to provide for the dynamic management and alleviation of virus threats based on risk levels.




Examiner’s Remarks
6.	Examiner refers to and explicitly cites particular pages, sections, figures, paragraphs or columns and lines in the references as applied to Applicant’s claims to the extent practicable to streamline prosecution.
Although the cited portions of the references are representative of the best teachings in the art and are applied to meet the specific limitations of the claims, other uncited but related teachings of the references may be equally applicable as well.  It is respectfully requested that, in preparing responses to the rejections, the Applicant fully considers not only the cited portions of the references, but also the references in their entirety, as potentially teaching, suggesting or rendering obvious all or one or more aspects of the claimed invention.

Abbreviations
7.	Where appropriate, the following abbreviations will be used when referencing Applicant’s submissions and specific teachings of the reference(s):
i.	figure / figures:		Fig. / Figs.
ii.	column / columns:		Col. / Cols.
iii.	page / pages:			p. / pp.

References Cited
8.	(A)	Chen et al., US 9,268,689 B1 (“Chen”).
	(B)	Kempe et al., US 10,469,304 B1 (“Kempe”).
	(C)	Bahl, US 2008/0189788 A1.
	(D)	Chefalas et al., US 2016/0364255 A1 (“Chefalas”).
	(E)	Palagummi, US 2011/0289584 A1.

	Chen, Kempe, Chefalas, and Palagummi were cited in the previous Office action.


Notice re prior art available under both pre-AIA  and AIA 
9.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

A.
10.	Claims 20, 22, 24–26, 28–30, 32, 34–36, and 38–39 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Chen in view of (B) Kempe and (C) Bahl.
See “References Cited” section, above, for full citations of references.

11.	Regarding claim 20, (A) Chen teaches/suggests the invention substantially as claimed, including:
“A system for inspecting data, the system comprising:
	at least one processor configured to:”
(Col. 1, lines 30–32: performing virus scans at a storage device that stores one or more virtual machine disk image files (VMDK files);
Fig. 8 and Col. 19, lines 31: processor 814);

“establish an interface between a client environment and security components ...”
(Col. 4, lines 33–37: The client component of the secure anti-virus module can provide a user interface on a client device for a user, where the 35 user interface is configured to give the user access to functionality of the secure AV module (e.g., scheduling full and incremental virus scans, scheduling snapshots));

	“generate at least one snapshot of the virtual disks of the virtual machine”
(Fig. 5, step 505 and Col. 9, lines 23–24: creating a first snapshot of a file system of a network storage device 140);

	“analyze the at least one snapshot to detect vulnerabilities”
(Fig. 5, step 510 and Col. 10, lines 8–9: performing a full virus scan of the first snapshot); and

	“report the detected vulnerabilities as alerts”
(Col. 5, lines 26–39: Anti-virus engine 180 can examine contents of a file and search for known virus definitions, or patterns of data, within the file .... The anti-virus engine can report the results of the virus scan to a user or administrator).

Chen does not teach: “using the interface, utilize cloud computing platform APIs to identify virtual disks of a virtual machine in the client environment; use the computing platform APIs to query a location of at least one of the identified virtual disks; receive an identification of the location of the virtual disks of the virtual machine.”

(B) Kempe however teaches or suggests:

	“using the interface, utilize cloud computing platform APIs to identify virtual disks of a virtual machine in the client environment”
(Col. 4, lines 41–43: Clients of the service provider may access various services of the provider network via APIs;
Col. 19, lines 62–67: network visualization service may receive a UI event from a client device on which a client private network diagram is displayed. The event may, for example, request information on a selected resource instance or connection;
Col. 23, lines 9–14: The provider data center 1000 may, for example, provide clients the ability to implement virtual computing systems (VMs 1024) via a hardware virtualization service and the ability to implement virtualized data stores 1016 on storage resources 1018 via a storage virtualization service);

	“use the computing platform APIs to query a location of at least one of the identified virtual disks; receive an identification of the location of the virtual disks of the virtual machine”
(Col. 9, lines 35–57: UI event handler 26 may obtain the requested information for the virtual resource instance either from information already collected by data collection 22 component or by querying one or more provider network management processes 12 to request the information ... examples of information for a resource component that may be thus displayed include, but are not limited to ... health information, status information, lists or ranges of IP addresses or endpoints of the respective virtual resource instance).


It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kempe with those of Chen, to provide direct client access to various functions, services, and information of the virtualization system on a cloud-computing network.  The motivation or advantage to do so is to provide greater user/admin control over the viewing, selection and managing of the (statuses and configurations of) virtual machines.



(C) Bahl however teaches or suggests:
“determine a risk level of the virtual machine”
(Fig. 6 and ¶ 83: determined whether a change in the security state of the system has occurred ... If a change in the security state has occurred;
Fig. 7A and ¶¶ 86–87: At a step 702, a change in the security state is detected. After the step 702, processing proceeds to a step 704 at which the security state is assessed. After the step 704, processing proceeds to a step 706 where a tiered set of actions are caused to be performed. The tiered set of actions may be performed automatically following the assessment of the security state); and

“wherein the alerts are filtered and prioritized based on the determined risk level of the virtual machine”
Fig. 7A and ¶¶ 86–87: The tiered set of actions may be performed automatically following the assessment of the security state;
Fig. 4 and ¶ 66–67: Based on the risk level, the action taken by RM may include one or more of the identified actions and/or other actions. As the risk level increases, the actions taken may be cumulative of all actions taken at lower risk levels .... Generate alerts-Various types of alerts may be generated ranging from visual cues provided on the task bar to sending high-priority alerts).

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bahl with those of Chen and Kempe, to prioritize and provide different types of alerts (and remedial or mitigation measures) based on a security state of the virtual machine and a risk level of the detected virus/threat.  The motivation or advantage to do so is to provide for the dynamic management and alleviation of virus threats based on risk levels.



12.	Regarding claim 22, Chen teaches/suggests:
“wherein during the analysis of the at least one snapshot, the virtual machine is active”
(see Col. 11, lines 52–57; and Col. 12, lines 25–27, as applied in rejecting claim 21, above).

13.	Regarding claim 24, Chen teaches/suggests:
“wherein the at least one processor is further configured to implement a remedial action for at least one of the detected vulnerabilities”
(Col. 5, lines 39–41: antivirus engine can also be configured to remove viruses or malware from files).

14.	Regarding claim 25, Kempe teaches/suggests:
“wherein the identification of the location of the virtual disks of the virtual machine includes a virtual address of at least one of the virtual disks”
(Col. 9, lines 35–57: lists or ranges of IP addresses or endpoints of the respective virtual resource instance or lists).

15.	Regarding claim 26, Chen teaches/suggests:
“wherein the at least one snapshot includes a change log of at least one of the virtual disks configured to restore the virtual machine to a particular point in time”
(Col. 7, lines 15–20: A change log and metadata track the changes made between snapshots of the file system;
Col. 9, lines 51–52: Each VMDK file that is referenced by the snapshot FS (or simply snapshot) can be viewed as a backup image of a VMDK file;
the Examiner notes: the Examiner takes official notice that using a backup image (snapshot) to restore a system to an earlier state is a well-known application in the computing art in order to return or reestablish the system to a previously known, stable, or verified configuration).

16.	Regarding claim 28, Chen teaches/suggests:
“wherein the at least one snapshot includes a plurality of snapshots, and the at least one processor is configured to generate the plurality of snapshots according to a predetermined schedule”
(Col. 4, lines 42–60: a secure AV module can automatically (i.e., without user intervention) initiate an initial snapshot of a file system according to a default schedule (e.g., every month, every two weeks, after a threshold amount of data has been written to the file system) and/or a schedule established by the user).

17.	Regarding claim 29, Chen teaches/suggests:
“wherein the at least one processor is configured to generate the at least one snapshot in response to a predetermined trigger event”
(see Col. 4, lines 42–60, as applied in rejecting claim 29, above, teaching a default schedule).

18.	Regarding claims 30, 32, 34–36, and 38, they are the corresponding method claims reciting similar limitations of commensurate scope as the system of claims 20, 22, 24–26 and 28, respectively. Therefore, they are rejected on the same basis as claims 20, 22, 24–26 and 28 above.

19.	Regarding claim 39, it is the corresponding computer program product claim reciting similar limitations of commensurate scope as the system of claim 20. Therefore, it is rejected on the same basis as claim 20 above.


B.
Claims 21, 27, 31, and 37 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Chen in view of (B) Kempe and (C) Bahl, as applied to claims 20 and 30 above, and further in view of (D) Chefalas.

21.	Regarding claim 21, Chen and Kempe do not teach “wherein the snapshot includes a page file of memory associated with the virtual machine.”

(D) Chefalas however teaches or suggests:
“wherein the snapshot includes a page file of memory associated with the virtual machine”
(¶ 57: VM templates are created from snapshots of existing VMs, where a snapshot of a VM is a copy of the VM captured at a certain point in time. A VM (and its corresponding snapshot) may include a wide variety of information, including, but certainly not limited to: (i) log files; (ii) the state of the VM's BIOS; (iii) the contents of the VM's disk drive(s); (iv) the contents of the VM's memory (and/or a corresponding paging file);
¶ 46: Program/utility 40, having a set (at least one) of program modules 42, may be stored in memory 28 by way of example, and not limitation, as well as an operating system, one or more application programs, other program modules, and program data).

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further combine the teachings of Chefalas with those of Chen, Kempe, and Bahl to include a page file in the virtual machine snapshot. The motivation or advantage to do so is to enable the complete restoration and re-provisioning of the virtual machine (by providing a snapshot of the VM’s working (main) memory).

22.	Regarding claim 27, Chefalas teaches/suggests:
“the page file is configured to allow deduction of one or more applications running on the virtual machine”
contents of the VM's memory (and/or a corresponding paging file);
¶ 46: Program/utility 40, having a set (at least one) of program modules 42, may be stored in memory 28 by way of example, and not limitation, as well as an operating system, one or more application programs, other program modules, and program data).

23.	Regarding claims 31 and 37, they are the corresponding method claims reciting similar limitations of commensurate scope as the system of claims 21 and 27. Therefore, they are rejected on the same basis as claims 21 and 27 above.


C.
24.	Claims 23 and 33 are rejected under 35 U.S.C. 103 as being unpatentable over (A) Chen in view of (B) Kempe and (C) Bahl, as applied to claims 20 and 30 above, and further in view of (E) Palagummi.

25.	Regarding claim 23, Chen and Kempe do not teach “wherein reporting the detected vulnerabilities as alerts includes indicating priority levels associated with the detected vulnerabilities.”

(E) Palagummi however teaches or suggests:
“wherein reporting the detected vulnerabilities as alerts includes indicating priority levels associated with the detected vulnerabilities”
(¶ 28: In addition to the names, some embodiments will display a threat level associated with the listed virus).

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further combine the teachings of Palagummi with those of Chen, Kempe, and Bahl to provide a threat level in the scan results. The motivation or advantage to do so is to inform user or administrator the severity of the virus threat (e.g. in assessing whether additional corrective action is necessary).

26.	Regarding claim 33, it is the corresponding method claim reciting similar limitations of commensurate scope as the system of claim 23. Therefore, it is rejected on the same basis as claim 23 above.


Response to Arguments
27.	Applicant’s arguments with respect to the claims have been considered but are moot because the arguments do not apply to any of the newly applied teachings or references being used in the current rejection.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN C WU whose telephone number is (571)270-5906.  The examiner can normally be reached on Monday through Friday, 8:30 A.M. to 5:00 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Meng-Ai An can be reached on (571)272-3756.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BENJAMIN C WU/Primary Examiner, Art Unit 2195                                                                                                                                                                                                        
March 3, 2022