DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.This action is responsive to the communication filed on July 30, 2020. At this time, claims 1-20 are pending and addressed below.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 13-17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
As to claim 13, each element of the claim can reasonably be interpreted as software. Absent a definition in the specification, a reasonable interpretation of virtual machine, classifier and compiler is just a software routine. This claim fails to fall into a statutory category of invention as software alone is not a machine, a manufacture, a process nor a composition of matter.  
 Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6-7, 8, 13, 14-16, 18 are rejected under 35 U.S.C 103 as being unpatentable over Summerlin, US pat. No 20210365556 in view of Grytsan, US20140237596. 

Claims 1, 13 and 18. Summerlin disclose a method (See abstract; obtaining a malware sample; extracting operational parameters corresponding to the malware sample; configuring an emulator application corresponding to the malware sample using the operational parameters) comprising: 
running a virtual machine with an operating system configured with a monitoring subsystem, (See [0018   ]; The output generated at the virtual machine via execution of the malware sample can be processed to detect portions of that output likely to indicate the presence of the malware. Those portions may be distinguished, for example, from benign activity performed by the malware to obfuscate its presence. IOCs may be generated and deployed to detection applications based on the above-mentioned portions.) the monitoring subsystem configured to generate event data based on a plurality of events occurring on the virtual machine; (See [0023]; the system 116 also includes a repository 208 configured to receive data (e.g. files, memory dumps, status reports from other system components, and the like) and events from each of the other components of the system 116.)
running a classifier configured to detect a malware based on the plurality of events; (See [0017]; Malware detection applications (e.g. antivirus applications and the like) may be installed on client devices 104 or associated devices to detect malware such as the application 108, either to prevent infection by malware or detect and remove malware after infection. To detect malware, such detection applications may be configured to analyze data and activity at the client device 104, such as the contents of files stored at the client device, network traffic between the client device 104 and the network 100, and the like.)
running a sample on the virtual machine, the classifier detecting the malware in the sample; (See [0018]; The process of identifying IOCs that can be deployed to malware detection applications for use in protecting client devices may involve obtaining samples of malware applications such as the application 108 and executing such samples, e.g. in a sandbox environment such as a virtual machine. See also [0018]; the output generated at the virtual machine via execution of the malware sample can be processed to detect portions of that output likely to indicate the presence of the malware.)
Summerlin does not appear to explicitly disclose and running a countermeasure compiler that generates a countermeasure to the malware, the countermeasure based on the event data. 
However, Grytsan discloses and running a countermeasure compiler that generates a countermeasure to the malware, the countermeasure based on the event data. (See Grytsan, [0016]; Also, it is necessary to consider the fact that malware tries to counteract the restrictions imposed by HIPS. An example of such counter-measures is the splitting of malware actions between different processes. The only way to mitigate that measure is to merge the different threads and process histories into a single context to which the rules will be applied. If the rule is formed in an unsuccessful way (such as when it is statistically often occurring in non-malware) a false positive will occur. Other known counter-measures include discarding or compromising the program's history and damaging or compromising the list of rules.)Summerlin and Grytsan are analogous art because they are from the same field of endeavor which 
is malware detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin with the teaching of Grytsan to include the countermeasure because it would have allowed for protecting a computer against the harmful effects of malicious software and more particularly to a system and method for detecting the presence of malicious software on a computer and to diffusing malicious software before it can operate to cause undesirable effects on the computer. (See Grytsan, [0005]) 
2. The combination of Summerlin and Grytsan discloses the method of claim 1 wherein the monitoring subsystem is run within a kernel of the operating system. (See Grytsan; [0043] and [0053])

3. The combination of Summerlin and Grytsan discloses the method of claim 1 wherein detecting the malware triggers generating the countermeasure. (See Grytsan, [0016]; Also, it is necessary to consider the fact that malware tries to counteract the restrictions imposed by HIPS. An example of such counter-measures is the splitting of malware actions between different processes. The only way to mitigate that measure is to merge the different threads and process histories into a single context to which the rules will be applied. If the rule is formed in an unsuccessful way (such as when it is statistically often occurring in non-malware) a false positive will occur. Other known counter-measures include discarding or compromising the program's history and damaging or compromising the list of rules.)Summerlin and Grytsan are analogous art because they are from the same field of endeavor which 
is malware detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin with the teaching of Grytsan to include the countermeasure because it would have allowed for protecting a computer against the harmful effects of malicious software and more particularly to a system and method for detecting the presence of malicious software on a computer and to diffusing malicious software before it can operate to cause undesirable effects on the computer. (See Grytsan, [0005]) 
 4. The combination of Summerlin and Grytsan discloses the method of claim 1 wherein the countermeasure compiler is configured to generate a resource data section and wherein the countermeasure includes a precompiled template populated with the resource data section. (See Summerlin, [0056])6. The combination of Summerlin and Grytsan discloses the method of claim 1, the classifier configured to detect the malware based on the sample terminating a process monitored by the monitoring subsystem and that is not associated with the sample. (See [0055-0056])7. The combination of Summerlin and Grytsan discloses the method of claim 1, the monitoring subsystem configured to monitor a process, and the classifier configured to: detect the malware based on a type of access to the process requested by the sample, and detect the malware based on an identity of the process accessed by the sample. (See ([0036] and [0055-0057])8. The combination of Summerlin and Grytsan discloses the method of claim 1, the monitoring subsystem configured to monitor an operating system registry, and the classifier configured to: detect the malware based on the sample modifying or deleting a registry entry that the sample did not create. (See [0057])
14. The combination of Summerlin and Grytsan discloses the system of claim 13 wherein the classifier is configured to use an event data object in transient memory and based on the plurality of events to detect the malware based on at least two of the plurality of events. (See Summerlin, [0017]; Malware detection applications (e.g. antivirus applications and the like) may be installed on client devices 104 or associated devices to detect malware such as the application 108, either to prevent infection by malware or detect and remove malware after infection. To detect malware, such detection applications may be configured to analyze data and activity at the client device 104, such as the contents of files stored at the client device, network traffic between the client device 104 and the network 100, and the like.) 

15. The combination of Summerlin and Grytsan discloses the system of claim 13 wherein the monitoring subsystem and the classifier are run within a kernel of the operating system. (See Grytsan; [0043] and [0053]) 16. The combination of Summerlin and Grytsan discloses the system of claim 13 wherein generating the countermeasure is triggered by detecting the malware. (See Grytsan, [0016]; Also, it is necessary to consider the fact that malware tries to counteract the restrictions imposed by HIPS. An example of such counter-measures is the splitting of malware actions between different processes. The only way to mitigate that measure is to merge the different threads and process histories into a single context to which the rules will be applied. If the rule is formed in an unsuccessful way (such as when it is statistically often occurring in non-malware) a false positive will occur. Other known counter-measures include discarding or compromising the program's history and damaging or compromising the list of rules.)Summerlin and Grytsan are analogous art because they are from the same field of endeavor which 
is malware detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin with the teaching of Grytsan to include the countermeasure because it would have allowed for protecting a computer against the harmful effects of malicious software and more particularly to a system and method for detecting the presence of malicious software on a computer and to diffusing malicious software before it can operate to cause undesirable effects on the computer. (See Grytsan, [0005]) 
Claim 5 is rejected under 35 U.S.C 103 as being unpatentable over Summerlin, US pat. No 20210365556 in view of Grytsan, US20140237596 in further view of Cohen, US pat. No 20070283434.
 5. The combination of Summerlin and Grytsan does not discloses the method of claim 1, the classifier configured to: detect the malware based on the sample modifying a tripwire file monitored by the monitoring subsystem, and detect the malware based on the sample modifying a system file monitored by the monitoring subsystem. 
However, Cohen discloses detect the malware based on the sample modifying a tripwire file monitored by the monitoring subsystem, and detect the malware based on the sample modifying a system file monitored by the monitoring subsystem. (See Cohen, [0101])
Summerlin, Grytsan and Cohen are analogous art because they are from the same field of endeavor which access control. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin and Grytsan with the teaching of Cohen to include the tripwire file because it would have allowed protection to a set of files. 

Claims 9-11 and 17 are rejected under 35 U.S.C 103 as being unpatentable over Summerlin, US pat. No 20210365556 in view of Grytsan, US20140237596 in further view of Compton, US pat.No 20210112091. 

9. The combination of Summerlin and Grytsan does not appear to explicitly disclose the method of claim 1, wherein the countermeasure is configured to: run on a computer, and detect the malware on the computer. 
However, Compton discloses run on a computer, and detect the malware on the computer. (See [0026])
Summerlin, Grytsan and Compton are analogous art because they are from the same field of endeavor which access control. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin and Grytsan with the teaching of Compton to include the detection system because it would have allowed to protect the system from unauthorized user.  
 10. The combination of Summerlin and Grytsan does not appear to explicitly disclose the method of claim 1, wherein the countermeasure is configured to: run on a computer, and remove the malware from the computer. 
However, Compton discloses run on a computer, and remove the malware from the computer. (See [0026])
Summerlin, Grytsan and Compton are analogous art because they are from the same field of endeavor which access control. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin and Grytsan with the teaching of Compton to include the detection system because it would have allowed to protect the system from unauthorized user.  
 
11. The combination of Summerlin and Grytsan does not appear to explicitly disclose the method of claim 1, wherein the countermeasure is configured to: run on a computer, and prevent the computer from running a malware process. 
However, Compton discloses run on a computer, and prevent the computer from running a malware process. (See Compton, [0041])
Summerlin, Grytsan and Compton are analogous art because they are from the same field of endeavor which access control. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin and Grytsan with the teaching of Compton to include the detection system because it would have allowed to protect the system from unauthorized user.  

17. The combination of Summerlin and Grytsan does not appear to explicitly disclose the system of claim 13 wherein the countermeasure is configured to: run on a computer, detect the malware on the computer, remove the malware from the computer, and prevent the computer from running a malware process. 
However, Compton discloses run on a computer, detect the malware on the computer, remove the malware from the computer, and prevent the computer from running a malware process. (See Compton, [0026] and [0041])
 
20. The combination of Summerlin and Grytsan does not appear to explicitly disclose the non-transitory computer readable medium storing computer readable instructions of claim 18, wherein the countermeasure is stored on a second non-transitory computer readable medium storing additional computer readable instructions, that when executed by a computer, implement a countermeasure method comprising: detecting the malware on the computer, and removing the malware from the computer. 
However, Compton discloses wherein the countermeasure is stored on a second non-transitory computer readable medium storing additional computer readable instructions, that when executed by a computer, implement a countermeasure method comprising: detecting the malware on the computer, and removing the malware from the computer. (See Compton, [0026] and [0041]) 
Allowable Subject Matter
Claims 12 and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 
                                                               Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US9916440, title “ Detection efficacy of virtual machine-based analysis with application specific events “
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSNEL JEUDY whose telephone number is (571)270-7476. The examiner can normally be reached M-F 10:00-8:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arani T Taghi can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
Date: 6/28/2022
/JOSNEL JEUDY/Primary Examiner, Art Unit 2438