DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-5 and 7-20 are pending.
The claim objections (except for the one(s) being repeated below) have been withdrawn in view of the claim amendment. 
The nonstatutory double rejection has been withdrawn in view of the approval of the Terminal Disclaimer filed on 12/15/21.

Terminal Disclaimer
The terminal disclaimer filed on 12/15/21 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of any patent granted on Application Number 16908155 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Response to Arguments
Applicant's arguments filed on 12/13/21 have been fully considered. 
In response to Applicant’s argument that nowhere does Park, teaches or suggests automatically receiving an indication of suspicious information from a target user computer system associated with a target user that received the suspicious information
In response to Applicant’s argument that Nowhere does Paithane, teaches or suggests automatically transferring the suspicious information to a virtual container upon receiving the indication of the suspicious information and executing the suspicious information within the virtual container in response to transferring the suspicious information to the virtual container (page 10 of Remarks), Examiner acknowledged Applicant’s perspective but respectfully disagreed for the following reasons.
Paithane 660 discloses the static analysis engine 170 may provide at least some of the information associated with the formatted object 226 (hereinafter generally referred to as “suspicious object” 228) to the dynamic analysis engine 175 for in-depth dynamic analysis by the VMs 180.sub.1-180.sub.N. (e.g. figs. 2-3, ¶44).  
Paithane 660 further discloses the dynamic analysis engine 175 features one or more VMs 180.sub.1-180.sub.N, where each VM 180.sub.1, . . . , or 180.sub.N processes the suspicious object 228 within a run-time environment. For instance, as an optional feature, the dynamic analysis engine 175 may include processing logic 270 that is configured to provide anticipated signaling to the VM 180.sub.1-180.sub.N during processing of the suspicious object 228, and as such, emulates a source of or destination for communications with the suspicious object 228 while processed within that VM 180.sub.1, . . . , or 180.sub.N. As an example, the processing logic 270 may be adapted to operate by providing simulated key inputs from a keyboard, keypad or touch screen or providing certain signaling, as requested by the suspicious object 228 during run-time (e.g. ¶45-46).  
Moreover, Paithane 660 discloses the dynamic analysis engine 175 may be adapted to provide the VM-based results 285 to the classification engine 250…the VM-based results 285 may include information associated with the behaviors of the suspicious object 228, which may include abnormal or unexpected system or API calls being invoked or unexpected memory accesses for example…the classification engine 250 is configured to receive the SA-based results 280 and/or the VM-based results 285 (e.g. ¶45-46).
Based on at least the above, Paithane 660 does disclose or suggest automatically transferring the suspicious information to a virtual container upon receiving the indication of the suspicious information and executing the suspicious information within the virtual container in response to transferring the suspicious information to the virtual container.
In response to Applicant’s argument that nowhere does Park, teaches or suggests, identifying at least a signature or a pattern associated with the suspicious information, wherein the signature or the pattern is associated with one or more moves implemented by the suspicious information upon the execution of the suspicious information in the virtual container (page 10 of Remarks), Examiner acknowledged Applicant’s perspective but this argument is moot in view of the new ground of rejection presented below.
For at least the above reasons, current independent claims 1, 17, and 19 are not distinguishable over the prior arts.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 7-9, 13-17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Park (US 20090300761) in view of Paithane 660 (US 20180048660) and further in view of Paithane 726 (US 10671726).

Claim 1, Park discloses A system for identifying suspicious code embedded in a file in an isolated computing environment, the system comprising: 
one or more memory devices storing computer-readable code; and one or more processing devices operatively coupled to the one or more memory devices, wherein the one or more processing devices are configured to execute the computer-readable code to: (e.g. fig. 1, ¶22)
receive an indication of suspicious information; (e.g. ¶25: identification of a suspicious entity such as an unknown entity or an entity that is suspected to be malware)
identify at least a signature or a pattern associated with the suspicious information; (e.g. ¶23, 25: An "intelligent hash" is generated by identifying metadata associated with an entity, such as a file or a software application, that is both unique to the entity (i.e. specific) and largely invariant over small changes to the entity such as polymorphisms (i.e. robust). These metadata can either be extracted from the entity or generated using transformations or functions…the client 150 generates an intelligent hash of the suspicious entity, herein referred to as a "suspicious entity hash")
compare a hash of the signature or the pattern with stored hashes of signatures or patterns; (e.g. ¶24, 25: The security server 110 generates intelligent hashes for a comprehensive set of known malware threats and stores the intelligent hashes in the intelligent hash database 174…Upon receiving a suspicious entity hash from a client 150, the security server 110 evaluates the intelligent hash by comparing it to the intelligent hashes in the database 174 to determine whether the suspicious entity hash is the same or similar to the intelligent hashes in the intelligent hash database 174.)
determine that the suspicious information comprises harmful information when the hash match the stored hashes of signatures or patterns; and perform a mitigation action based on determining that the suspicious information comprises the harmful information. (e.g. ¶59-60: The suspicious entity hash reporting module 460 receives results of the suspicious entity hash evaluations from the security server 110. The results of the suspicious entity hash evaluations include: the entity associated with the highest scoring intelligent hash, whether the highest similarity score is above the similarity cutoff value and whether the entity associated with the highest scoring intelligent hash is a malware entity or an innocuous entity…If the suspicious entity hash evaluation indicates that the entity is malware (i.e. the highest scoring intelligent hash is above the similarity cutoff value and is associated with a malware entity), the suspicious entity hash reporting module 460 remediates the client 150, for example, by removing the suspicious entity and/or repairing corrupted entities on the client 150. The suspicious entity hash reporting module 460 may perform additional actions, such as alerting a user of the client 150 and logging the suspicious entity.)
Although Park discloses identify at least a signature or a pattern associated with the suspicious information (see above), Park does not appear to explicitly disclose but Paithane 660 discloses:
automatically transfer the suspicious information to a virtual container upon receiving the indication of the suspicious information; (e.g. figs. 2-3, ¶44:  the static analysis engine 170 may provide at least some of the information associated with the formatted object 226 (hereinafter generally referred to as “suspicious object” 228) to the dynamic analysis engine 175 for in-depth dynamic analysis by the VMs 180.sub.1-180.sub.N.)
execute the suspicious information within the virtual container in response to transferring the suspicious information to the virtual container; (e.g. ¶45-46: the dynamic analysis engine 175 features one or more VMs 180.sub.1-180.sub.N, where each VM 180.sub.1, . . . , or 180.sub.N processes the suspicious object 228 within a run-time environment. For instance, as an optional feature, the dynamic analysis engine 175 may include processing logic 270 that is configured to provide anticipated signaling to the VM 180.sub.1-180.sub.N during processing of the suspicious object 228, and as such, emulates a source of or destination for communications with the suspicious object 228 while processed within that VM 180.sub.1, . . . , or 180.sub.N. As an example, the processing logic 270 may be adapted to operate by providing simulated key inputs from a keyboard, keypad or touch screen or providing certain signaling, as requested by the suspicious object 228 during run-time.)
wherein the signature or the pattern is associated with one or more moves implemented by the suspicious information upon the execution of the suspicious information in the virtual container; (e.g. ¶46-47: the dynamic analysis engine 175 may be adapted to provide the VM-based results 285 to the classification engine 250…the VM-based results 285 may include information associated with the behaviors of the suspicious object 228, which may include abnormal or unexpected system or API calls being invoked or unexpected memory accesses for example…the classification engine 250 is configured to receive the SA-based results 280 and/or the VM-based results 285. Based at least partially on the SA-based results 280 and/or VM-based results 285, the classification engine 250 evaluates the characteristic(s) within the SA-based results 280 and/or the monitored behaviors associated with the VM-based results 285 to determine whether the suspicious object 228 should be classified as “malicious”. The engine may receive one or more features as input, either individually or as a pattern of two or more features, and produces a result that may be used to identify whether the suspicious object 228 is associated with a malicious attack)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paithane 660 into the invention of Park for the purpose of performing an in-depth dynamic analysis of the suspicious object to determine whether the suspicious object is malicious (Paithane 660, ¶44, 47).
Although Park discloses receive an indication of suspicious information (see above), Park does not appear to explicitly disclose but Paithane 726 discloses automatically receive an indication of suspicious information from a target user computer system associated with a target user that received the suspicious information; (e.g. col. 7, ll. 10-15, 22-28, 39-42: the interface 136 operates as a data capturing device (sometimes referred to as a “network tap”) that is configured to receive at least a portion of network traffic propagating to/from one or more endpoint devices 130 (hereinafter, “endpoint device(s)”) and provide information associated with the received portion of the network traffic to the first TDP 110.sub.1…In general terms, the interface 136 is configured to capture data directed to or from one or more endpoint device(s) 130, where the captured data includes at least one object for analysis and its corresponding metadata.  It should be noted that the term “user” covers any human, process, program, processor, device, etc. and combination thereof, that uses the system)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paithane 726 into the invention of Park-Paithane 660 for the purpose of enabling the system to analyze data object received from one or more devices for malware (col. 7, ll. 39-42).

Claim 7, Park-Paithane 660-Paithane 726 discloses The system of claim 1, wherein the indication of the suspicious information is received automatically from an organization system. (Park, e.g. ¶22, 55-56 and/or Paithane 726, e.g. col. 7, ll. 10-15, 22-28, 39-42)

Claim 8, Park-Paithane 660-Paithane 726 discloses The system of claim 1, wherein the system is an isolation system that provides physical separation and logical separation when analyzing the suspicious information.  (Park, e.g. ¶57 and/or Paithane 660, e.g. ¶45)

Claim 9, Park-Paithane 660-Paithane 726 discloses The system of claim 8, wherein the isolation system is accessed through an application programming interface located on an analyst computer system, on the isolation system, or on an application programing interface system.  (Park, e.g. ¶57 and/or Paithane 660, e.g. ¶31, 37)

Claim 13, Park-Paithane 660-Paithane 726 discloses The system of claim 1, (see above) and Paithane 726 discloses wherein the one or more processing devices are further configured to execute the computer-readable code to: automatically set virtual environment configurations for the virtual container based on configurations of the target user computer system of the target user from which the suspicious information was received.  (e.g. col. 7, ll. 39-49, col. 9, ll. 44-53).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paithane 726 into the invention of Park-Paithane 660 for the purpose of customizing the virtual machine to more effectively analyze an object for malware thereby improving computer security.

Claim 14, Park-Paithane 660-Paithane 726 discloses The system of claim 1, wherein the mitigation action comprises sending a notification to a user when the harmful information is identified.  (Park, e.g. ¶59.  It should be noted that the term “user” covers any human, process, program, processor, device, etc. and combination thereof, that uses the system)

Claim 15, Park-Paithane 660-Paithane 726 discloses The system of claim 1, wherein the mitigation action comprises requesting removal of the harmful information from the target user computer system, allowing an analyst user to access target user computer system of the target user to remediate the harmful information, requiring a username or password change, notifying other analyst users of the harmful information, notifying other users within an organization of the harmful information, notifying a third-party of the harmful information, blocking a website for the harmful information, preventing future download of the harmful information, or automatically deleting any future communication with the harmful information.  (Park, e.g. ¶59-60.  It should be noted that the term “user” covers any human, process, program, processor, device, etc. and combination thereof, that uses the system)

Claim 16, Park-Paithane 660-Paithane 726 discloses The system of claim 1, (see above) and Paithane 726 discloses wherein the one or more processing devices are configured to execute the computer-readable code to: store a log of each analysis action performed by an analyst user within the virtual container while analyzing the suspicious information.  (e.g. col. 3, ll. 51-col. 4, ll. 2. It should be noted that the term “analyst user” covers any human, process, program, processor, device, etc. and combination thereof, that uses the system and performs any type of analysis.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paithane 726 into the invention of Park-Paithane 660 for the purpose of later retrieving for review by security personnel (Paithane 726, col. 4, ll. 25-27).

Claim 17, this claim is rejected for similar reasons as in claim 1.

Claim 19, this claim is rejected for similar reasons as in claim 1.

Claims 2-5, 11-12, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Park (US 20090300761) in view of Paithane 660 (US 20180048660) in view of Paithane 726 (US 10671726) and further in view of Gaetano (US 20190294778).

Claim 2, Park-Paithane 660-Paithane 726 discloses The system of claim 1, (see above) and does not appear to explicitly disclose but Gaetano discloses wherein the one or more processing devices are further configured to execute the computer-readable code to: determine that the hash does not match the stored hashes of signatures or patterns; allow an analyst user to access to at least one other virtual container in order to further analyze the suspicious information when the hash does not match the stored hashes of signatures or patterns; and allow the analyst user to analyze the suspicious information in the at least one other virtual container.  (e.g. fig. 2, S220, S225, S230, S235, ¶19, 25-26.  It should be noted that the term “analyst user” covers any human, process, program, processor, device, etc. and combination thereof, that uses the system and performs any type of analysis.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Gaetano into the invention of Park-Paithane 660-Paithane 726 for the purpose of safely monitoring the unknown application to classify the unknown application as malicious or safe (Gaetano, ¶11, 19).

Claim 3, Park-Paithane 660-Paithane 726-Gaetano discloses The system of claim 2, wherein the one or more processing devices are further configured to execute the computer-readable code to: receive an indication from the analyst user that the suspicious information does not comprise the harmful information; and Page 26 of 31 AttyDktNo.:9960US1.014033.3783determine that the suspicious information is acceptable information.  (Gaetano, e.g. fig. 2, S230, S235, S240, S245, S255, S270, ¶22, 31, 36).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Gaetano into the invention of Park-Paithane 660-Paithane 726 for the purpose of classifying the application as safe and updating a knowledge database with a hash of the application for future reference (Gaetano, ¶22, 36).

Claim 4, Park-Paithane 660-Paithane 726 discloses The system of claim 1, (see above) and does not appear to explicitly disclose but Gaetano discloses wherein the one or more processing devices are further configured to execute the computer-readable code to: store the hash in an acceptable list comprising a plurality of acceptable signature hashes. (e.g. fig. 2, S220, S225, S230, S235, S240, S255, S270, ¶22, 36)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Gaetano into the invention of Park-Paithane 660-Paithane 726 for the purpose of updating a knowledge database with a hash of the application classified as safe for future reference (Gaetano, ¶22, 36).

Claim 5, Park-Paithane 660-Paithane 726 discloses The system of claim 1, (see above) and does not appear to explicitly disclose but Gaetano discloses wherein the mitigation action comprises discarding the virtual container. (e.g. fig. 2, S265, ¶35).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Gaetano into the invention of Park-Paithane 660-Paithane 726 for the purpose of preventing a malicious application from affecting the rest of the system and saving processing resources. 

Claim 11, Park-Paithane 660-Paithane 726 discloses The system of claim 1, (see above) and does not appear to explicitly disclose but Gaetano discloses wherein the one or more processing devices are further configured to execute the computer-readable code to: create a virtual container when the analyst user accesses the system. (e.g. ¶19.  It should be noted that the term “analyst user” covers any human, process, program, processor, device, etc. and combination thereof, that uses the system and performs any type of analysis.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Gaetano into the invention of Park-Paithane 660-Paithane 726 for the purpose of safely monitoring the unknown application to classify the unknown application as malicious or safe (Gaetano, ¶11, 19).

Claim 12, Park-Paithane 660-Paithane 726-Gaetano discloses The system of claim 11, wherein the one or more processing devices are further configured to execute the computer-readable code to: receive virtual environment configurations from the analyst user for the virtual container for the suspicious information.  (Paithane 660, e.g. ¶42, 44, 51-53.  It should be noted that the term “analyst” covers any human, process, program, processor, device, etc. and combination thereof, that performs any type of analysis.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paithane 660 into the invention of Park for the purpose of enabling configuration of the virtual machine to increase the effectiveness of the virtual machine in analyzing and categorizing the suspicious object.

Claim 18, this claim is rejected for similar reasons as in claim 2.

Claim 20, this claim is rejected for similar reasons as in claim 2.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Park (US 20090300761) in view of Paithane 660 (US 20180048660) in view of Paithane 726 (US 10671726) and further in view of Kruglick (US 20160210164).

Claim 10, Park-Paithane 660-Paithane 726 discloses The system of claim 1, (see above) and does not appear to explicitly disclose but Kruglick discloses wherein the one or more processing devices are further configured to execute the computer-readable code to: create a plurality of virtual containers for a plurality of analysts, wherein each of the plurality of virtual containers are specific to each of the plurality of analysts.  (e.g. ¶18, 22, 28.  It should be noted that the term “analyst” covers any human, process, program, processor, device, etc. and combination thereof, that performs any type of analysis.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Kruglick into the invention of Park-Paithane 660-Paithane 726 for the purpose of associating virtual machines with respective users and providing the respective users with reports that may assist the users in generating analytics (Kruglick, ¶18, 22).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 20110271342 discloses if it is determined that the process is not included in the white list, that the virtual machine detection request corresponds to any one of the access to the file of the user terminal, the lookup of the network address of the virtual machine, and the access to the registry of the user terminal, and that the binary hash value of the virtual machine detection request is not identical to the hash value of the malicious code, the binary hash value of the virtual machine detection request is stored in the virtual machine information database (S336). Here, a separate external system analyzes processes for the file, registry, and network, and determines whether or not each process is the malicious process. If each process is the malicious process, the binary hash value is stored as the hash value of the malicious code in the virtual machine information database.


US 20170344740 discloses a device may receive a file to be analyzed in a sandbox environment, and may determine configuration information for configuring the sandbox environment. The configuration information may be determined based on at least one of: file information associated with the file to be analyzed, or client device information associated with a client device for which the file is intended. The device may configure the sandbox environment using the configuration information. The configuration information may identify a system configuration for the sandbox environment. The device may analyze the file in the sandbox environment based on configuring the sandbox environment using the configuration information. 

US 20180336351 discloses activating a container such as container 122 includes creating one or more new containers or resuming running of one or more suspended containers. Container manager 118 is additionally configured to activate one or more containers for an individual user logged into host operating system 102 and ensure that any other users of the host operating system are restricted from accessing the activated one or more containers for the individual user. Container manager 118 ensures a mapping of the user logged into host operating system 102 to the container 122. In some embodiments in which there are multiple users of host operating system 102 and multiple containers, the container manager 118 is configured to see a logged-on user's identity and directly associate that with one or more corresponding containers.

Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:30 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436