DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 9 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 9 recites the limitations "the predefined offset" and “the operating system timeout” in lines 1-2.  There is insufficient antecedent basis for these limitations in the claim. For prior art rejection purposes, claim 9 is considered as being dependent upon claim 8.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 13-14, 17 and 20-21 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Mooney (“SANTA LEAVES THE KERNEL: A MACOS ENDPOINT SECURITY INTRODUCTION AND CASE STUDY”).
Regarding claim 13, Mooney discloses a system comprising: 
	at least one computing device (i.e., a computing device running macOS) (page 2, Intro); 
	a security service executable by the at least one computing device (i.e., The Endpoint Security API can be used for “Endpoint Detection and Response software and antivirus software”, page 4; Endpoint Security client, page 7); and 
	a system extension in communication with the security service and executable by the at least one computing device (page 7, The New Santa System Extension), the system extension being configured to: 
		subscribe with an operating system executed by the at least one computing device for at least one event type (i.e., And then Santa can subscribe to certain types of events) (page 7); 
		receive an event notification comprising metadata associated with an event, the event corresponding to one of the at least one event type (i.e., The callback will receive all messages that the Endpoint Security client has subscribed to…The event is a union of types specific to each kind of event…a process fork event provides the process identifier of the new child process as the union member fork…A message can be an authorization request.) (pages 7-8); 
	send the event notification to the security service (i.e., the callback takes two arguments: a pointer to the client and a pointer to the message, page 7; Endpoint Security clients must respond to all authorization actions, page 8); 
	receive data indicating whether to allow the event (i.e., ES_ACTION_TYPE_AUTH actions can be allowed or denied by an Endpoint Security client… Endpoint Security clients must respond to all authorization actions) (page 8); 
	instruct the operating system whether to allow the event based on the data indicating whether to allow the event (i.e., instructing the kernel to deny or allow execution of a file, page 6; This system extension serves the same purpose as the kernel module, but does its job fully outside the kernel, page 7).
Regarding claim 14, Mooney further discloses that the security service is configured to apply a policy comprising a plurality of rules to the event notification (i.e., binaries to be executed are processed by the Santa daemon, including checking the hash of the binary and the certificate with which the binary is signed against the allowlist) (page 8).
Regarding claim 17, Mooney discloses a system comprising:
	at least one computing device (i.e., a computing device running macOS) (page 2, Intro); 
	a security service executable by the at least one computing device (i.e., The Endpoint Security API can be used for “Endpoint Detection and Response software and antivirus software”, page 4; Endpoint Security client, page 7); and 
	a system extension in communication with the security service and executable by the at least one computing device, the system extension being configured to: 
		subscribe with an operating system executed by the at least one computing device for a plurality of event types with the operating system (i.e., And then Santa can subscribe to certain types of events) (page 7); 
		receive a plurality of event notifications from the operating system, wherein each of the plurality of event notifications comprises respective metadata associated with a respective event, each respective event corresponding to one of the plurality of event types (i.e., The callback will receive all messages that the Endpoint Security client has subscribed to…The event is a union of types specific to each kind of event…a process fork event provides the process identifier of the new child process as the union member fork…A message can be an authorization request.) (pages 7-8); 
		process a first event notification from the plurality of event notifications by: 
			sending the first event notification to the security service (i.e., the callback takes two arguments: a pointer to the client and a pointer to the message, page 7; Endpoint Security clients must respond to all authorization actions, page 8); 
			receiving data indicating whether to allow the respective event associated with the first event notification (i.e., ES_ACTION_TYPE_AUTH actions can be allowed or denied by an Endpoint Security client… Endpoint Security clients must respond to all authorization actions) (page 8); and 
			instructing the operating system whether to allow the respective event associated with the first event notification based on the data indicating whether to allow the respective event (i.e., instructing the kernel to deny or allow execution of a file, page 6; This system extension serves the same purpose as the kernel module, but does its job fully outside the kernel, page 7).
Regarding claim 20, Mooney further discloses that subscribing with the operating system comprises registering with an endpoint security application programming interface (API) for notifications (i.e., The Santa system extension makes use of the new Endpoint Security API…And then Santa can subscribe to certain types of events) (page 7).
Regarding claim 21, Mooney further discloses that the notifications registered with the endpoint security API comprise an ES_EVENT_TYPE_AUTH_OPEN event type (page 8) and an ES_EVENT_TYPE_AUTH_EXEC event type (page 7).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-9 and 12 are rejected under 35 U.S.C. 102(a)(1) as anticipated by or, in the alternative, under 35 U.S.C. 103 as obvious over Mooney in view of Fuh et al. (US 6,463,474 B1).
Regarding claim 1, Mooney discloses a method comprising: 
	subscribing, via a system extension executed by at least one computing device (page 7, The New Santa System Extension), for at least one event type with an operating system (i.e., And then Santa can subscribe to certain types of events) (page 7); 
	receiving, via the system extension, an event notification comprising metadata associated with an event, the event corresponding to one of the at least one event type (i.e., The callback will receive all messages that the Endpoint Security client has subscribed to…The event is a union of types specific to each kind of event…a process fork event provides the process identifier of the new child process as the union member fork…A message can be an authorization request.) (pages 7-8); 
	applying a policy comprising a plurality of rules to the event notification (i.e., binaries to be executed are processed by the Santa daemon, including checking the hash of the binary and the certificate with which the binary is signed against the allowlist) (page 8); 
	determining whether to allow the event according to the plurality of rules (i.e., ES_ACTION_TYPE_AUTH actions can be allowed or denied by an Endpoint Security client… Endpoint Security clients must respond to all authorization actions) (page 8); 
	instructing, via the system extension, the operating system whether to allow the event based on the determination (i.e., instructing the kernel to deny or allow execution of a file, page 6; This system extension serves the same purpose as the kernel module, but does its job fully outside the kernel, page 7).
	Mooney discloses applying a policy comprising a plurality of rules to the event notification (i.e., binaries to be executed are processed by the Santa daemon, including checking the hash of the binary and the certificate with which the binary is signed against the allowlist) (page 8); and determining, via the system extension, whether to allow the event according to the plurality of rules (i.e., ES_ACTION_TYPE_AUTH actions can be allowed or denied by an Endpoint Security client… Endpoint Security clients must respond to all authorization actions) (page 8). Mooney does not explicitly disclose that the system extension performs those two steps; however, this feature is deemed inherent because Mooney discloses that the system extension caches decisions received from the Endpoint Security client (page 4, last line). Alternatively, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mooney’s method to use cached decisions, as taught by Fuh (Fig. 4, elements 432, 434, 436; col. 12, lines 38-56). The motivation for doing so would have been to provide a significant advantage and improvement in authentication speed and efficiency.
Regarding claim 2, Mooney further discloses generating, via the system extension, a copy of the event notification; transmitting, via the system extension, the copy of the event notification to a security service (i.e., the callback takes two arguments: a pointer to the client and a pointer to the message) (page 7).
Regarding claim 3, Mooney further discloses that the system extension is at least one of: a software application with a system extension application type or a software application with access to the endpoint security application programming interface (API) (page 7, The New Santa System Extension).
Regarding claim 4, Mooney further discloses subsequent to instructing the operating system to deny the event, generating a command to kill a process corresponding to the event (inherent feature when the process requesting execution of binaries is denied).
Regarding claim 5, Mooney further discloses that applying the policy comprises: sending, via the system extension, the event notification with the metadata to a security service (i.e., the callback takes two arguments: a pointer to the client and a pointer to the message) (page 7); Attorney Docket No.: 23841-136843applying, via the security service, the policy to determine a result (i.e., binaries to be executed are processed by the Santa daemon, including checking the hash of the binary and the certificate with which the binary is signed against the allowlist) (page 8); and receiving, via the system extension, the result from the security service (i.e., ES_ACTION_TYPE_AUTH actions can be allowed or denied by an Endpoint Security client… Endpoint Security clients must respond to all authorization actions) (page 8).
Regarding claim 6, Mooney further discloses that the security service is a daemon (i.e., binaries to be executed are processed by the Santa daemon) (page 8) and the system extension and the security service are configured to communicate via interprocess communication (i.e., the callback takes two arguments: a pointer to the client and a pointer to the message, page 7; The callback registered with the call to es_new_client is responsible for sending the event information to the rest of the Santa subsystem, and a result is ultimately communicated back to the System Extensions subsystem, page 8).
Regarding claim 7, Mooney further discloses determining, via the system extension, that a predefined time threshold from receipt of the event notification has been exceeded; and instructing the operating system to deny the event based on the predefined time threshold being exceeded (i.e., Santa addresses this issue by setting a timer to issue a “deny” response two seconds before the deadline for each authorization action in case the Santa daemon fails to issue a response) (page 8).
Regarding claim 8, Mooney further discloses that the predefined time threshold is equal to an operating system timeout corresponding to the event notification minus a predefined offset (i.e., Santa addresses this issue by setting a timer to issue a “deny” response two seconds before the deadline for each authorization action in case the Santa daemon fails to issue a response) (page 8).
Regarding claim 9, Mooney further discloses that the predefined offset of 2 seconds is about 3.3% of the operating system timeout (i.e., 2 seconds/60 seconds). Whereas Mooney does not disclose that the predefined offset is about 5% of the operating system timeout as claimed, the difference is a matter of design choice. Since Mooney’s system extension needs two seconds to return a notification result to the operating system without exceeding the time limit, one of ordinary skill in the art would have expected Mooney’s system extension to perform the same function successfully with one extra second. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined method of Mooney and Fuh to increase the predefined offset from two seconds to three seconds with a reasonable expectation of success. 
Regarding claim 12, Mooney further discloses that the at least one event type comprises an open event and an execution event (i.e., binaries to be executed are processed by the Santa daemon…ES_ACTION_TYPE_AUTH actions can be allowed or denied by an Endpoint Security client) (page 8).
Claims 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over Mooney in view of Fuh as applied to claim 1 above, and further in view of Angel et al. (US 2015/0135253 A1).
Regarding claims 10-11, Mooney and Fuh further disclose receiving, via the system extension, a second event notification comprising second metadata associated with a second event; determining, via the system extension, that the second event corresponds to an allowed/denied event in a list (i.e., cached decisions) according to the second metadata; and instructing, via the system extension, the operating system to allow/deny the second event in response to the second event corresponding to the allowed/denied event (Mooney – page 4, last line, page 8; Fuh - Fig. 4, elements 432, 434, 436; col. 12, lines 38-56). Mooney and Fuh do not disclose separating the cached decisions into a whitelist (i.e., list of allowed events) and a blacklist (i.e., list of denied events). Angel discloses that separating allowed and denied events into a whitelist and a blacklist is one of two possible solutions for storing such events (i.e., the other solution is maintaining a single list) (para. [0022]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined method of Mooney and Fuh to separate the cached decisions into a whitelist (i.e., list of allowed events) and a blacklist (i.e., list of denied events), as taught by Angel, with a reasonable expectation of success.  
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Mooney as applied to claim 17 above, and further in view of (“Microsoft Computer Dictionary”) (hereinafter MCD). Regarding claim 18, Mooney does not disclose utilizing a queue to store the notifications and to process them from the queue. MCD discloses utilizing a queue to store elements to be process in the same order in which they are inserted (page 433). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mooney’s system to utilize a queue to store the event notifications and to process them from the queue, as taught by MCD.  The motivation for doing so would have been to allow for processing the notifications in a first in, first out (FIFO) order.
Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Mooney as applied to claim 17 above, and further in view of Fuh and Angel. 
Regarding claim 19, Mooney does not explicitly disclose that the system extension, upon receiving each particular event notification of the plurality of event notification, determines whether a list comprises the particular event notification; and, in response to the event notification not being in the list, send the particular event notification to the security service; however, this feature is deemed inherent because Mooney discloses that the system extension caches decisions received from the Endpoint Security client (page 4, last line). Alternatively, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mooney’s method to use cached decisions, as taught by Fuh (Fig. 4, elements 432, 434, 436; col. 12, lines 38-56). The motivation for doing so would have been to provide a significant advantage and improvement in authentication speed and efficiency.
	Mooney and Fuh do not disclose separating the cached decisions into a whitelist (i.e., list of allowed events) and a blacklist (i.e., list of denied events). Angel discloses that separating allowed and denied events into a whitelist and a blacklist is one of two possible solutions for storing such events (i.e., the other solution is maintaining a single list) (para. [0022]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Mooney further to separate the cached decisions into a whitelist (i.e., list of allowed events) and a blacklist (i.e., list of denied events), as taught by Angel, with a reasonable expectation of success.
Allowable Subject Matter
Claims 15-16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter. The prior art of record fails to teach: (i) “wherein the system extension is further configured to: receive a second event notification comprising second metadata associated with a second event; send the second event notification to the security service; receive second data indicating to allow the second event; 31PATENTAttorney Docket No.: 23841-136843determine that a modification has occurred to an application associated with the second event notification subsequent to receiving the second event notification; and instruct the operating system to deny the event based on the modification” (Claim 15); and “wherein the system extension is further configured to: receive a second event notification comprising second metadata associated with a second event; determine that a passive mode applies to the second event notification based at least in part on the second metadata; and generate an audit log corresponding to the result of the second event notification” (Claim 16).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MINH DINH whose telephone number is (571)272-3802. The examiner can normally be reached Mon-Fri: 9 AM - 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MINH DINH/Primary Examiner, Art Unit 2432