0DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

 	Regarding claim 1, the phrase " so as/ such as" renders the claim indefinite because it is unclear whether the limitations following the phrase are part of the claimed invention.  See MPEP § 2173.05(d).



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-21  are rejected under 35 U.S.C. 103 as being unpatentable over Lango et al US 9,892,256 in view of Wibling et al US 2009/0144510.

 	As per claim 1, Lango discloses a method in a virtualized computing environment to implement guest calls in connection with detection of malicious code, wherein the virtualized computing environment includes a guest monitoring mode (GMM) module and an agent in a guest virtual machine (VM), the method comprising: 	
obtaining, by the GMM module from the agent, information regarding a bit mask and an array, wherein the array is associated with a plurality of guest calls that are executable by the agent in response to setting of corresponding bits in the bit mask by the GMM module (col 9, lines 65-67  40) At block 300, the threat defense logic 138 receives a request for an operation from guest OS 102, since the a request is from guest OS, thus, it is can be seen as a guest call. The term “request” as used herein is an umbrella term that covers requests for operations including but not limited to system calls, hypercalls, page table update requests, file access requests, scheduling requests ); 
using, by the GMM module, the obtained information to insert at least one marker into code of at least one guest call of the plurality of guest calls, wherein the at least one marker identifies an execution point in the code ( col 10, lines 33-40,(42) At block 301, the intermediary guest manager 110 determines that the request meets one or more of the triggers 201 for a record of the threat defense policy 140. In an embodiment, the intermediary guest manager 110 iterates through the threat defense records 200 of the threat defense policy 140 and checks the request against the one or more triggers 201 for each record. If the request meets the criteria for at least one trigger of the record, then the determination at block 301 has been made); 
setting, by the GMM module, a bit in the bit mask that corresponds to the at least one guest call so as to instruct the agent to execute the at least one guest call ( col 11, lines 39-51, the path of files or executables utilized by the system call (e.g. path of an executable to use to start up a process, a file to open for reading/writing, etc.), network information such as IP/port address assuming the system call accesses network resources, and so forth. For records of the threat defense policy 140 that pertain to system call filtering the one or more triggers 201 may be met when the arguments to the system call meet a particular set of criteria, such as a system call with an argument indicating a process termination operation and another argument specifying a process ID associated with a security agent.);  
monitoring, by the GMM module, for completion of execution of the at least one guest call at the execution point identified by the marker (  col 3, lines 60-67  two operating systems attempt to utilize the same resource, such as a screen buffer, the hypervisor or manager may need to step in and emulate that function in a way which ensures a resolution of the potential conflict. This same system of traps may also be used by the intermediary guest manager to monitor system calls. By installing traps on system calls made by applications of the guest operating system, execution is forced back into the control of the intermediary guest manager. From that point that intermediary guest manager can then inspect the system call, compare the system call against the records of the threat defense policy, and determine whether or not a remedial action (such as ignoring the system call) needs to take place.); and 
in response to a failure to detect the completion of the execution at the execution point, initiating, by the GMM module, a remedial action to address malicious code ( col 10, lines 54-63, At block 302, in response to determining that the request meets one or more triggers 201 for a record of the threat defense policy 140, the intermediary guest manager 110 executes the remedial actions 202 associated with the record. Depending on the actions 202 associated with the record, remediation may include ignoring the request, sending a notification, stopping the guest OS 102 from executing, reverting the guest OS 102 to a backup image, sending a negative or positive acknowledgment).  

Lango does not explicitly disclose masking the bit of the guest call.

However, Wibling discloses ( [0050] Returning now to the VMCI device registers summarized in Table 1, the guest call register is used to pass data from the device to the driver. In one embodiment, the guest call register is read-only, i.e., writes are ignored. A guest call is the reverse of a hypercall. That is, guest calls originate in the hypervisor and end in the guest. In one embodiment, the guest call's data/wire format is the same as that for hypercalls as shown in Table 2 above. When VMCI device 358 receives a guest call request, e.g., from VMCI framework 400, it queues the guest call structure and raises the GUEST CALL interrupt. VMCI driver 357 may be responsible for acknowledging the interrupt (as described above with reference to the "interrupt cause" register) and reading the guest call via the guest call register. Multiple guest calls can be queued, in which case, the driver may read each one in sequence. The driver may be configured to mask the guest call interrupt (as described above with reference to the "interrupt mask" register) and instead just poll the guest call register. If no guest calls are pending, the register will return an error, e.g., "VMCI_ERROR_INVALID_VECTOR." If insufficient buffer space is provided to contain a pending guest call, VMCI device 358 may be configured to return a VMCI call header containing an error such as "VMCI_ERROR_MORE_DATA" as the vector and the size of the pending guest call. [0040] The Interrupt Cause register is used to read and acknowledge device interrupts. This is a read-only register similar to the status register. When the Interrupt Cause register is read, pending interrupts are acknowledged and the register is reset to zero. When an interrupt is raised by VMCI device 317, a bit in this register is set accordingly. Bits can be masked using the Interrupt Mask register ). 
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.


 	As per claim 2, Lango in view of Wibling discloses the method of claim 1, Wibling discloses further comprising placing, by the GMM module, a write trace on the bit mask and the array to detect an attempt by the malicious code to modify the bit mask and the array (par 0041 0041] The Interrupt Mask register may be used to mask out bits in the Interrupt Cause register. In one embodiment, this is a read-write register. When a bit is set to 1 the corresponding bit in the Interrupt Cause register is masked out and interrupts corresponding to this bit will not be raised. In order to preserve an existing mask a device driver can perform a read/modify/write. Since read/modify/write instructions can lead to races, which is undesirable, it is also possible to employ separate registers for setting and clearing mask interrupts. In this case, writing a 1 would cause the corresponding mask bit to be either set or cleared).  

Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.


 	As per claim 3, Lango in view of Wibling discloses the method of claim 2, Wibling discloses  wherein obtaining the information regarding the bit mask and the array includes obtaining at least one address of a memory location where the bit mask and array reside, and wherein placing the write trace includes putting the write trace on the at least one memory location for detection of an attempt by the malicious code to write into the at least one memory location ([0040] The Interrupt Cause register is used to read and acknowledge device interrupts. In one embodiment, this is a read-only register similar to the status register. When the Interrupt Cause register is read, pending interrupts are acknowledged and the register is reset to zero. When an interrupt is raised by VMCI device 317, a bit in this register is set accordingly. Bits can be masked using the Interrupt Mask register described below. In one embodiment, only a single bit is used by this register. However, it is also possible to provide multiple types of interrupts with different bits indicating different interrupt types (or "causes"). When a bit is set to one, there is one or more unacknowledged interrupts of the corresponding type pending. When a bit is set to zero, there are no unacknowledged interrupts of the corresponding type pending ).  
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.



 	As per claim 4, Lango in view of Wibling discloses the method of claim 1, Wibling discloses further comprising: in response to detection of the completion of the execution at the execution point, clearing, by the GMM module, the corresponding bit in the bit mask that was set ( [0041] The Interrupt Mask register may be used to mask out bits in the Interrupt Cause register. In one embodiment, this is a read-write register. When a bit is set to 1 the corresponding bit in the Interrupt Cause register is masked out and interrupts corresponding to this bit will not be raised. In order to preserve an existing mask a device driver can perform a read/modify/write. Since read/modify/write instructions can lead to races).  
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.


 	As per claim 5, Lango in view of Wibling discloses the method of claim 1, Lango discloses wherein initiating the remedial action includes at least one of: shutting down the guest VM, suspending the guest VM, removing the guest VM from the virtualized computing environment, or sending a report to a management server to enable the management server to alert a system administrator to investigate the failure to detect the completion of the execution (col 3, lines 25-40,Each record of the threat defense policy has a set of criteria representing suspicious behavior and a remedial action to take if that suspicious behavior is detected. Using the security agent case as an example, the record may indicate that system calls which specify to terminate a process matching the process ID of a known security agent meets the criteria and the remedial action to take in response is to ignore the system call. Other embodiments may also have drastically different remedial actions, such as sending a notification to an email account of an administrator, sending a false positive acknowledgment back to the program to “trick” the program into thinking the system call had been executed, and so forth. The remedial actions may be represented by logic or code which is executed when the criteria of the record is met to cause the remedial actions to be performed ).  
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.



 	As per claim 6, Lango in view of Wibling discloses The method of claim 1, Lango discloses further comprising setting, by the GMM module, a timer having a duration corresponding to an amount of time for the agent to complete execution at the execution point ( col 4, lines 30-40 the critical structures may represent regions of memory from some initial offset that is determined at boot time. If the intermediary guest manager receives a command, such as a page table update that would attempt to write to the previously identified critical data structures, the intermediary guest manager will prevent that command from executing).  
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.

 	As per claim 7, Lango in view of Wibling discloses The method of claim 6, Lango discloses wherein the failure to detect the completion of the execution at the execution point corresponds to an expiration of the timer (col 4, lines 30-40 the critical structures may represent regions of memory from some initial offset that is determined at boot time. If the intermediary guest manager receives a command, such as a page table update that would attempt to write to the previously identified critical data structures, the intermediary guest manager will prevent that command from executing. As a result, the guest operating system receives the technical benefit of having critical data structures that are protected regardless of the permissions the malware obtains within the guest operating system. The protections of critical or sensitive data structures may be represented in records of the threat defense policy which become triggered by memory updates/writes to regions of memory known to correspond to those data structures). 

Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.


 
 	As per claim 8, Lango discloses  A non-transitory computer-readable medium having instructions stored thereon, which in response to execution by one or more processors, cause the one or more processors to perform or control performance of operations to implement guest calls in connection with detection of malicious code in a virtualized computing environment ( col 16, lines 15-25, Computer system 500 includes a bus 502 or other communication mechanism for communicating information, and a processor 504 coupled with bus 502 for processing information. Computer system 500 also includes a main memory 506, such as a random access memory (RAM) or other dynamic storage device, coupled to bus 502 for storing information and instructions to be executed by processor 504. Main memory 506 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 504 ), wherein the virtualized computing environment includes a guest monitoring mode (GMM) module and an agent in a guest virtual machine (VM), the operations comprising:
obtaining, by the GMM module from the agent, information regarding a bit mask and an array, wherein the array is associated with a plurality of guest calls that are executable by the agent in response to setting of corresponding bits in the bit mask by the GMM module (col 9, lines 65-67  40) At block 300, the threat defense logic 138 receives a request for an operation from guest OS 102, since the a request is from guest OS, thus, it is can be seen as a guest call. The term “request” as used herein is an umbrella term that covers requests for operations including but not limited to system calls, hypercalls, page table update requests, file access requests, scheduling requests ); 
using, by the GMM module, the obtained information to insert at least one marker into code of at least one guest call of the plurality of guest calls, wherein the at least one marker identifies an execution point in the code ( col 10, lines 33-40,(42) At block 301, the intermediary guest manager 110 determines that the request meets one or more of the triggers 201 for a record of the threat defense policy 140. In an embodiment, the intermediary guest manager 110 iterates through the threat defense records 200 of the threat defense policy 140 and checks the request against the one or more triggers 201 for each record. If the request meets the criteria for at least one trigger of the record, then the determination at block 301 has been made); 
setting, by the GMM module, a bit in the bit mask that corresponds to the at least one guest call so as to instruct the agent to execute the at least one guest call ( col 11, lines 39-51, the path of files or executables utilized by the system call (e.g. path of an executable to use to start up a process, a file to open for reading/writing, etc.), network information such as IP/port address assuming the system call accesses network resources, and so forth. For records of the threat defense policy 140 that pertain to system call filtering the one or more triggers 201 may be met when the arguments to the system call meet a particular set of criteria, such as a system call with an argument indicating a process termination operation and another argument specifying a process ID associated with a security agent.);  
monitoring, by the GMM module, for completion of execution of the at least one guest call at the execution point identified by the marker (  col 3, lines 60-67  two operating systems attempt to utilize the same resource, such as a screen buffer, the hypervisor or manager may need to step in and emulate that function in a way which ensures a resolution of the potential conflict. This same system of traps may also be used by the intermediary guest manager to monitor system calls. By installing traps on system calls made by applications of the guest operating system, execution is forced back into the control of the intermediary guest manager. From that point that intermediary guest manager can then inspect the system call, compare the system call against the records of the threat defense policy, and determine whether or not a remedial action (such as ignoring the system call) needs to take place.); and 
in response to a failure to detect the completion of the execution at the execution point, initiating, by the GMM module, a remedial action to address malicious code ( col 10, lines 54-63, At block 302, in response to determining that the request meets one or more triggers 201 for a record of the threat defense policy 140, the intermediary guest manager 110 executes the remedial actions 202 associated with the record. Depending on the actions 202 associated with the record, remediation may include ignoring the request, sending a notification, stopping the guest OS 102 from executing, reverting the guest OS 102 to a backup image, sending a negative or positive acknowledgment).  

Lango does not explicitly disclose  masking the bit of the guest call .
However, Wibling discloses ( [0050] Returning now to the VMCI device registers summarized in Table 1, the guest call register is used to pass data from the device to the driver. In one embodiment, the guest call register is read-only, i.e., writes are ignored. A guest call is the reverse of a hypercall. That is, guest calls originate in the hypervisor and end in the guest. In one embodiment, the guest call's data/wire format is the same as that for hypercalls as shown in Table 2 above. When VMCI device 358 receives a guest call request, e.g., from VMCI framework 400, it queues the guest call structure and raises the GUEST CALL interrupt. VMCI driver 357 may be responsible for acknowledging the interrupt (as described above with reference to the "interrupt cause" register) and reading the guest call via the guest call register. Multiple guest calls can be queued, in which case, the driver may read each one in sequence. The driver may be configured to mask the guest call interrupt (as described above with reference to the "interrupt mask" register) and instead just poll the guest call register. If no guest calls are pending, the register will return an error, e.g., "VMCI_ERROR_INVALID_VECTOR." If insufficient buffer space is provided to contain a pending guest call, VMCI device 358 may be configured to return a VMCI call header containing an error such as "VMCI_ERROR_MORE_DATA" as the vector and the size of the pending guest call. [0040] The Interrupt Cause register is used to read and acknowledge device interrupts. In one embodiment, this is a read-only register similar to the status register. When the Interrupt Cause register is read, pending interrupts are acknowledged and the register is reset to zero. When an interrupt is raised by VMCI device 317, a bit in this register is set accordingly. Bits can be masked using the Interrupt Mask register ). 
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.

As per claim 9, Lango in view of Wibling discloses the non-transitory computer-readable medium of claim 8, Wibling discloses wherein the operations further comprise: placing, by the GMM module, a write trace on the bit mask and the array to detect an attempt by the malicious code to modify the bit mask and the array ( par 0041  The Interrupt Mask register may be used to mask out bits in the Interrupt Cause register. In one embodiment, this is a read-write register. When a bit is set to 1 the corresponding bit in the Interrupt Cause register is masked out and interrupts corresponding to this bit will not be raised. In order to preserve an existing mask a device driver can perform a read/modify/write. Since read/modify/write instructions can lead to races, which is undesirable, it is also possible to employ separate registers for setting and clearing mask interrupts. In this case, writing a 1 would cause the corresponding mask bit to be either set or cleared).  
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.


As per claim 10, Lango in view of Wibling discloses the non-transitory computer-readable medium of claim 9, Wibling discloses wherein obtaining the information regarding the bit mask and the array includes obtaining at least one address of a memory location where the bit mask and array reside, and wherein placing the write trace includes putting the write trace on the at least one memory location for detection of an attempt by the malicious code to write into the at least one memory location ( 0040] The Interrupt Cause register is used to read and acknowledge device interrupts. In one embodiment, this is a read-only register similar to the status register. When the Interrupt Cause register is read, pending interrupts are acknowledged and the register is reset to zero. When an interrupt is raised by VMCI device 317, a bit in this register is set accordingly. Bits can be masked using the Interrupt Mask register described below. In one embodiment, only a single bit is used by this register. However, it is also possible to provide multiple types of interrupts with different bits indicating different interrupt types (or "causes"). When a bit is set to one, there is one or more unacknowledged interrupts of the corresponding type pending. When a bit is set to zero, there are no unacknowledged interrupts of the corresponding type pending).  
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.

As per claim 11, Lango in view of Wibling discloses the non-transitory computer-readable medium of claim 8, Wibling discloses wherein the operations further comprise: in response to detection of the completion of the execution at the execution point, clearing, by the GMM module, the corresponding bit in the bit mask that was set ([0041] The Interrupt Mask register may be used to mask out bits in the Interrupt Cause register. This is a read-write register. When a bit is set to 1 the corresponding bit in the Interrupt Cause register is masked out and interrupts corresponding to this bit will not be raised. In order to preserve an existing mask a device driver can perform a read/modify/write. Since read/modify/write instructions can lead to races ).  
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.



 	As per claim 12, Lango in view of Wibling discloses the non-transitory computer-readable medium of claim 8,  Lango discloses wherein initiating the remedial action includes at least one of: shutting down the guest VM, suspending the guest VM, removing the guest VM from the virtualized computing environment, or sending a report to a management server to enable the management server to alert a system administrator to investigate the failure to detect the completion of the execution (col 3, lines 25-40,Each record of the threat defense policy has a set of criteria representing suspicious behavior and a remedial action to take if that suspicious behavior is detected. Using the security agent case as an example, the record may indicate that system calls which specify to terminate a process matching the process ID of a known security agent meets the criteria and the remedial action to take in response is to ignore the system call. Other embodiments may also have drastically different remedial actions, such as sending a notification to an email account of an administrator, sending a false positive acknowledgment back to the program to “trick” the program into thinking the system call had been executed, and so forth. The remedial actions may be represented by logic or code which is executed when the criteria of the record is met to cause the remedial actions to be performed ).  
 Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.


As per claim 13, Lango in view of Wibling discloses the non-transitory computer-readable medium of claim 8, wherein the operations further comprise: Lango discloses 
 setting, by the GMM module, a timer having a duration corresponding to an amount of time for the agent to complete execution at the execution point ( col 4, lines 30-40 the critical structures may represent regions of memory from some initial offset that is determined at boot time. If the intermediary guest manager receives a command, such as a page table update that would attempt to write to the previously identified critical data structures, the intermediary guest manager will prevent that command from executing).  

Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.


 	As per claim 14, Lango in view of Wibling discloses the non-transitory computer-readable medium of claim 13, Lango discloses wherein the failure to detect the completion of the execution at the execution point corresponds to an expiration of the timer (col 4, lines 30-40 the critical structures may represent regions of memory from some initial offset that is determined at boot time. If the intermediary guest manager receives a command, such as a page table update that would attempt to write to the previously identified critical data structures, the intermediary guest manager will prevent that command from executing. As a result, the guest operating system receives the technical benefit of having critical data structures that are protected regardless of the permissions the malware obtains within the guest operating system. The protections of critical or sensitive data structures may be represented in records of the threat defense policy which become triggered by memory updates/writes to regions of memory known to correspond to those data structures). 
 Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.



As per claim 15, Lango discloses a host in a virtualized computing environment, the host comprising: a processor; and a non-transitory computer-readable medium coupled to the processor and having stored instructions stored thereon, which in response to execution by the processor, provide a guest monitoring mode (GMM) module and an agent in a guest virtual machine (VM), wherein the instructions, further in response to execution by the processor, cause the processor to perform or control performance of operations to implement guest calls in connection with detection of malicious code in the virtualized computing environment, and wherein the operations include: ( col 16, lines 15-25, Computer system 500 includes a bus 502 or other communication mechanism for communicating information, and a processor 504 coupled with bus 502 for processing information. Computer system 500 also includes a main memory 506, such as a random access memory (RAM) or other dynamic storage device, coupled to bus 502 for storing information and instructions to be executed by processor 504. Main memory 506 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by processor 504 ), wherein the virtualized computing environment includes a guest monitoring mode (GMM) module and an agent in a guest virtual machine (VM), the operations comprising:
obtain, by the GMM module from the agent, information regarding a bit mask and an array, wherein the array is associated with a plurality of guest calls that are executable by the agent in response to setting of corresponding bits in the bit mask by the GMM module (col 9, lines 65-67  40) At block 300, the threat defense logic 138 receives a request for an operation from guest OS 102, since the a request is from guest OS, thus, it is can be seen as a guest call. The term “request” as used herein is an umbrella term that covers requests for operations including but not limited to system calls, hypercalls, page table update requests, file access requests, scheduling requests ); 
use, by the GMM module, the obtained information to insert at least one marker into code of at least one guest call of the plurality of guest calls, wherein the at least one marker identifies an execution point in the code ( col 10, lines 33-40,(42) At block 301, the intermediary guest manager 110 determines that the request meets one or more of the triggers 201 for a record of the threat defense policy 140. In an embodiment, the intermediary guest manager 110 iterates through the threat defense records 200 of the threat defense policy 140 and checks the request against the one or more triggers 201 for each record. If the request meets the criteria for at least one trigger of the record, then the determination at block 301 has been made); 
set, by the GMM module, a bit in the bit mask that corresponds to the at least one guest call so as to instruct the agent to execute the at least one guest call ( col 11, lines 39-51, the path of files or executables utilized by the system call (e.g. path of an executable to use to start up a process, a file to open for reading/writing, etc.), network information such as IP/port address assuming the system call accesses network resources, and so forth. For records of the threat defense policy 140 that pertain to system call filtering the one or more triggers 201 may be met when the arguments to the system call meet a particular set of criteria, such as a system call with an argument indicating a process termination operation and another argument specifying a process ID associated with a security agent.);  
monitor, by the GMM module, for completion of execution of the at least one guest call at the execution point identified by the marker (  col 3, lines 60-67  two operating systems attempt to utilize the same resource, such as a screen buffer, the hypervisor or manager may need to step in and emulate that function in a way which ensures a resolution of the potential conflict. This same system of traps may also be used by the intermediary guest manager to monitor system calls. By installing traps on system calls made by applications of the guest operating system, execution is forced back into the control of the intermediary guest manager. From that point that intermediary guest manager can then inspect the system call, compare the system call against the records of the threat defense policy, and determine whether or not a remedial action (such as ignoring the system call) needs to take place.); and 
in response to a failure to detect the completion of the execution at the execution point, initiating, by the GMM module, a remedial action to address malicious code ( col 10, lines 54-63, At block 302, in response to determining that the request meets one or more triggers 201 for a record of the threat defense policy 140, the intermediary guest manager 110 executes the remedial actions 202 associated with the record. Depending on the actions 202 associated with the record, remediation may include ignoring the request, sending a notification, stopping the guest OS 102 from executing, reverting the guest OS 102 to a backup image, sending a negative or positive acknowledgment).  

Lango does not explicitly disclose  masking the bit of the guest call .
However, Wibling discloses ( [0050] Returning now to the VMCI device registers summarized in Table 1, the guest call register is used to pass data from the device to the driver. In one embodiment, the guest call register is read-only, i.e., writes are ignored. A guest call is the reverse of a hypercall. That is, guest calls originate in the hypervisor and end in the guest. In one embodiment, the guest call's data/wire format is the same as that for hypercalls as shown in Table 2 above. When VMCI device 358 receives a guest call request, e.g., from VMCI framework 400, it queues the guest call structure and raises the GUEST CALL interrupt. VMCI driver 357 may be responsible for acknowledging the interrupt (as described above with reference to the "interrupt cause" register) and reading the guest call via the guest call register. Multiple guest calls can be queued, in which case, the driver may read each one in sequence. The driver may be configured to mask the guest call interrupt (as described above with reference to the "interrupt mask" register) and instead just poll the guest call register. If no guest calls are pending, the register will return an error, e.g., "VMCI_ERROR_INVALID_VECTOR." If insufficient buffer space is provided to contain a pending guest call, VMCI device 358 may be configured to return a VMCI call header containing an error such as "VMCI_ERROR_MORE_DATA" as the vector and the size of the pending guest call. [0040] The Interrupt Cause register is used to read and acknowledge device interrupts. In one embodiment, this is a read-only register similar to the status register. When the Interrupt Cause register is read, pending interrupts are acknowledged and the register is reset to zero. When an interrupt is raised by VMCI device 317, a bit in this register is set accordingly. Bits can be masked using the Interrupt Mask register ). 
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.

 	As per claim 16,  Lango in view of Wibling discloses  the host of claim 15, Wibling discloses wherein the operations further comprise: place, by the GMM module, a write trace on the bit mask and the array to detect an attempt by the malicious code to modify the bit mask and the array ( par 0041 The Interrupt Mask register may be used to mask out bits in the Interrupt Cause register. In one embodiment, this is a read-write register. When a bit is set to 1 the corresponding bit in the Interrupt Cause register is masked out and interrupts corresponding to this bit will not be raised. In order to preserve an existing mask a device driver can perform a read/modify/write. Since read/modify/write instructions can lead to races, which is undesirable, it is also possible to employ separate registers for setting and clearing mask interrupts. In this case, writing a 1 would cause the corresponding mask bit to be either set or cleared).  

Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.


 	As per claim 17, Lango in view of Wibling discloses  The host of claim 16, Wibling discloses wherein the operation to obtain the information regarding the bit mask and the array includes an operation to obtain at least one address of a memory location where the bit mask and array reside, and wherein the operation to place the write trace includes an operation to put the write trace on the at least one memory location for detection of an attempt by the malicious code to write into the at least one memory location ( ([0040] The Interrupt Cause register is used to read and acknowledge device interrupts. In one embodiment, this is a read-only register similar to the status register. When the Interrupt Cause register is read, pending interrupts are acknowledged and the register is reset to zero. When an interrupt is raised by VMCI device 317, a bit in this register is set accordingly. Bits can be masked using the Interrupt Mask register described below. In one embodiment, only a single bit is used by this register. However, it is also possible to provide multiple types of interrupts with different bits indicating different interrupt types (or "causes"). When a bit is set to one, there is one or more unacknowledged interrupts of the corresponding type pending. When a bit is set to zero, there are no unacknowledged interrupts of the corresponding type pending).  
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.



 	As per claim 18, Lango in view of Wibling discloses  The host of claim 15, Wibling discloses wherein the operations further comprise: in response to detection of the completion of the execution at the execution point, clear, by the GMM module, the corresponding bit in the bit mask that was set ( ( [0041] The Interrupt Mask register may be used to mask out bits in the Interrupt Cause register. In one embodiment, this is a read-write register. When a bit is set to 1 the corresponding bit in the Interrupt Cause register is masked out and interrupts corresponding to this bit will not be raised. In order to preserve an existing mask a device driver can perform a read/modify/write. Since read/modify/write instructions can lead to races).  
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.


 	As per claim 19. Lango in view of Wibling discloses the host of claim 15,Lango discloses  wherein the operation to initiate the remedial action includes an operation to at least one of: shut down the guest VM, suspend the guest VM, remove the guest VM from the virtualized computing environment, or send a report to a management server to enable the management server to alert a system administrator to investigate the failure to detect the completion of the execution (col 3, lines 25-40,Each record of the threat defense policy has a set of criteria representing suspicious behavior and a remedial action to take if that suspicious behavior is detected. Using the security agent case as an example, the record may indicate that system calls which specify to terminate a process matching the process ID of a known security agent meets the criteria and the remedial action to take in response is to ignore the system call. Other embodiments may also have drastically different remedial actions, such as sending a notification to an email account of an administrator, sending a false positive acknowledgment back to the program to “trick” the program into thinking the system call had been executed, and so forth. The remedial actions may be represented by logic or code which is executed when the criteria of the record is met to cause the remedial actions to be performed ).  
 Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.



 	As per claim 20. Lango in view of Wibling discloses  The host of claim 15, Lango discloses wherein the operations further comprise: set, by the GMM module, a timer having a duration corresponding to an amount of time for the agent to complete execution at the execution point ( col 4, lines 30-40 the critical structures may represent regions of memory from some initial offset that is determined at boot time. If the intermediary guest manager receives a command, such as a page table update that would attempt to write to the previously identified critical data structures, the intermediary guest manager will prevent that command from executing).  
Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.

 

 	As per clam 21. Lango in view of Wibling discloses  The host of claim 20, Lango discloses wherein the failure to detect the completion of the execution at the execution point corresponds to an expiration of the timer (col 4, lines 30-40 the critical structures may represent regions of memory from some initial offset that is determined at boot time. If the intermediary guest manager receives a command, such as a page table update that would attempt to write to the previously identified critical data structures, the intermediary guest manager will prevent that command from executing. As a result, the guest operating system receives the technical benefit of having critical data structures that are protected regardless of the permissions the malware obtains within the guest operating system. The protections of critical or sensitive data structures may be represented in records of the threat defense policy which become triggered by memory updates/writes to regions of memory known to correspond to those data structures). 


 Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determine the quest call and providing the remedial actions of the Lango, based on the teaching of masking the bit of the guest call of Wigling, because doing so would prevent the call spoofing in the virtual machine.





Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314. The examiner can normally be reached EST: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JORGE ORTIZ CRIADO can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABU S SHOLEMAN/Primary Examiner, Art Unit 2496