Detailed Action
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Amendment filed on 07/07/2020 has been acknowledged. Claims 1-20 are currently pending and have been considered below. Claim 1, 11 and 15 are independent claim. Claim 1, 11 and 15-16 have been amended. No claim is added new.

Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 07/07/2022 is in compliance with provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Remarks and Response
Applicant’s arguments filed in the amendments on 07/07/2022 have been fully considered but they are not persuasive. The reasons set forth below.

Response to Arguments
On pages 21 of the remarks, applicant argued that specification [0013] says a propagation signal by itself does not qualify as storage media.
Examiner respectfully disagrees. Claim 11 recites “computer readable storage device” not “computer readable storage media”. [0013] defines computer readable storage media. If applicant believes that “device” and “media” are interchangeable, then examiner suggests to put “media” instead of “device” in the claim because specification has clear definition of media.

On pages 21 of the remarks, applicant argued that claim 11-14 are expressly directed at computer readable storage devices. A storage device is a “device” which means it includes hardware and thus is not merely transitory.
Examiner respectfully disagrees. The claim can not recite “device” without reciting any component or structure. The preamble recites “device” but the device cannot be implemented in software or tangible component. If the device/apparatus/system is considered a machine, then the machine needs to be consisted of some concrete part or structure which is absent in the claim. See MPEP § 2106. So 101 rejection is maintained.

On pages 22 of the remarks, applicant argued that Egilmez [0025] mentions “a link” only once, and the other cited paragraphs and Fig-1 do not mention any link at all. Applicant then mentioned the definition of delegated access link in applicant’s specification [0024].
Examiner respectfully disagrees. Examiner examines the limitation that is recited in the claim not the limitation that is recited in the specification. The delegated access link is not defined in the claim. Claim 1 simply recites “receive an application via a delegated access link”. Egilmez, Fig-1, ¶[0025], computing device 102 may transmit a message 104 with an item that may pose a potential threat (an attachment, an embedded object, a link) to another recipient 118. Here e-mail attachment is mapped to delegated access link. Claim 1 does not recite that delegated access link to access to third party without sharing credentials. Thus cited reference does not require to teach that part of the delegated access link.

On pages 22 of the remarks, applicant argued regarding claim 2-4 and 18 that Egilmez [0028] does not mention “identity service”.
Examiner respectfully disagrees. Egilmez, ¶[0028], communication device 202 may transmit a message with an item that may pose a potential threat to another communication application for recipient 218. If the attachment is safe, it may be reattached through synchronization with recipient’s mailbox maintained by the e-mail service. Here email service 208 is mapped to identity service.

For the entire above reasons examiner maintains the rejection.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

The claimed invention is not directed to patent eligible subject matter.  Based upon consideration of all of the relevant factors with respect to the claim as a whole, claims 11-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Claims 11 recites “a computer readable storage device storing a program” is directed to non-statutory subject matter. The claims fall outside the scope of patent-eligible subject matter at least because the claimed memory storing computer executable instructions in light of the supporting disclosure is broad enough to encompass transitory embodiments. 
 (See MPEP 2106-2106.01) Non-limiting examples of claims that are not directed to one of the statutory categories:
i. transitory forms of signal transmission (for example, a propagating electrical or electromagnetic signal per se), In re Nuijten, 500 F.3d 1346, 1357, 84 USPQ2d 1495, ___ (Fed. Cir. 2007);
vi. a computer program per se, Gottschalk v. Benson, 409 U.S. at 72.
A claim that covers both statutory and non-statutory embodiments (under the broadest reasonable interpretation of the claim when read in light of the specification and in view of one skilled in the art) embraces subject matter that is not eligible for patent protection and therefore is directed to non-statutory subject matter.
Claim 12-14 are dependent claims dependent on claim 11 and have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore they are rejected based on the same rationale as applied to the parent claim 11 above.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Egilmez (US Patent Application Publication No. 2017/0034091 A1) in view of Naamneh (US Patent No. 11,204,992 B1). 

Regarding Claim 1, Egilmez discloses a method, comprising: 
receive an application via a delegated access link provided to a user (Egilmez, Fig-1, ¶[0025], an email service executed on server may facilitate the exchange of email messages and provide threat protection functionality. ¶[0026], threat protection module may separate the attachment from the message. ¶[0028], communication device 202 may transmit a message with an item that may pose a potential threat to another communication application for recipient 218);
determine a verdict on the delegated access link (Egilmez, ¶[0028], upon separation of the message from the attachment at the threat protection module, the attachment is assessed for threats at the threat protection module); 
if the verdict on the delegated access link is unknown (Egilmez, ¶[0031], message may be routed to a categorizer or malware agent at an email service hub. ¶[0034], the safe attachment routing agent may submit messages to the threat assessment routing agent which may submit messages to the threat assessment module for scanning and defer until a verdict is received): 
monitor activities of the application (Egilmez, ¶[0031]- ¶[0033], message may be routed to a categorizer or malware agent at an email service hub. The forked message may be submitted to a safe attachment routing agent. Malware assessment configuration may be stored in a policy object called safe attachment policy which may include the safe attachment policy and safe attachment rules); and 
assign a verdict on the delegated access link based on whether monitored activities include suspicious activities (Egilmez, ¶[0031], message may be routed to a categorizer or malware agent at an email service hub. ¶[0034], the safe attachment routing agent may submit messages to the threat assessment routing agent which may submit messages to the threat assessment module for scanning and defer until a verdict is received).
Egilmez does not explicitly teach the following limitation that Naamneh teaches:
open the application in a laboratory user based on the user (Naamneh, col 7, line 15-20, a proxy container receives the API call determined to be incompatible. Col 8, line 30-40, security module may analyze malicious code in sandbox to observe its behavior and utilize the observations to determine and enhance threat protection measures associated with protecting computing devices against infection when malware containing malicious code is executed outside of sandbox), and 
Egilmez in view of Naamneh are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “malicious code and application programming interface”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Egilmez in view of Naamneh to include the idea of malware analysis for successful execution of malicious code in a testing environment for observing malware behavior. This may improve the robustness of malware analysis systems by observing the behavior of poorly written malicious code that would otherwise be missed utilizing conventional means.

Regarding Claim 2, Egilmez in view of Naamneh discloses the method of claim 1 wherein the user includes a user of an identity service (Egilmez, ¶[0028], communication device 202 may transmit a message with an item that may pose a potential threat to another communication application for recipient 218. If the attachment is safe, it may be reattached through synchronization with recipient’s mailbox maintained by the e-mail service).

Regarding Claim 3, Egilmez in view of Naamneh discloses the method of claim 2 wherein the laboratory user is created in the identity service (Naamneh, col 7, line 15-20, a proxy container receives the API call determined to be incompatible. Col 8, line 30-40, security module may analyze malicious code in sandbox to observe its behavior and utilize the observations to determine and enhance threat protection measures associated with protecting computing devices against infection when malware containing malicious code is executed outside of sandbox. Also Egilmez, ¶[0031], message may be routed to a categorizer or malware agent at an email service hub).
 
Regarding Claim 4, Egilmez in view of Naamneh discloses the method of claim 2 wherein the identity service is a delegated access provider (Egilmez, ¶[0028], communication device 202 may transmit a message with an item that may pose a potential threat to another communication application for recipient 218. If the attachment is safe, it may be reattached through synchronization with recipient’s mailbox maintained by the e-mail service). 

Regarding Claim 5, Egilmez in view of Naamneh discloses the method of claim 4 wherein the user has a client account with the delegated access provider (Egilmez, ¶[0028], communication device 202 may transmit a message with an item that may pose a potential threat to another communication application for recipient 218. If the attachment is safe, it may be reattached through synchronization with recipient’s mailbox maintained by the e-mail service). 

Regarding Claim 6, Egilmez in view of Naamneh discloses the method of claim 1 wherein verdicts on the delegated access link include prohibit access to link and unknown (Egilmez, ¶[0034], the safe attachment routing agent may submit messages to the threat assessment routing agent which may submit messages to the threat assessment module for scanning and defer until a verdict is received). 

Regarding Claim 7, Egilmez in view of Naamneh discloses the method of claim 6 wherein the verdicts on the delegated access link further include permit access to link (Egilmez, ¶[0034], the safe attachment routing agent may submit messages to the threat assessment routing agent which may submit messages to the threat assessment module for scanning and defer until a verdict is received). 

Regarding Claim 8, Egilmez in view of Naamneh discloses the method of claim 1 wherein the delegated access link includes authorization protocols or authentication protocols (Naamneh, col 16, line 5-10, the term “endpoint security” may refer to the protection of endpoint systems from unauthorized or illegitimate use. Endpoint protection may include user authentication system).

Regarding Claim 9, Egilmez in view of Naamneh discloses the method of claim 1 wherein suspicious activities are determined via a security policy (Egilmez, ¶[0033], malware assessment may be stored in a policy object called safe attachment policy).
 
Regarding Claim 10, Egilmez in view of Naamneh discloses the method of claim 9 wherein suspicious activities are determined via a rights management policy (Naamneh, upon denial of access request, proxy container may be dynamically created in compatibility layer for providing any necessary access rights). 

Regarding Claim 11, Egilmez discloses a computer readable storage device to store computer executable instructions to control a processor to: 
receive an application via a delegated access link provided to a user (Egilmez, Fig-1, ¶[0025], an email service executed on server may facilitate the exchange of email messages and provide threat protection functionality. ¶[0026], threat protection module may separate the attachment from the message. ¶[0028], communication device 202 may transmit a message with an item that may pose a potential threat to another communication application for recipient 218); 
determine a verdict on the delegated access link (Egilmez, ¶[0028], upon separation of the message from the attachment at the threat protection module, the attachment is assessed for threats at the threat protection module); 
if the verdict on the delegated access link is unknown (Egilmez, ¶[0031], message may be routed to a categorizer or malware agent at an email service hub. ¶[0034], the safe attachment routing agent may submit messages to the threat assessment routing agent which may submit messages to the threat assessment module for scanning and defer until a verdict is received): 
monitor activities of the application (Egilmez, ¶[0031]- ¶[0033], message may be routed to a categorizer or malware agent at an email service hub. The forked message may be submitted to a safe attachment routing agent. Malware assessment configuration may be stored in a policy object called safe attachment policy which may include the safe attachment policy and safe attachment rules); and 
assign a verdict on the delegated access link based on whether monitored activities include suspicious activities (Egilmez, ¶[0031], message may be routed to a categorizer or malware agent at an email service hub. ¶[0034], the safe attachment routing agent may submit messages to the threat assessment routing agent which may submit messages to the threat assessment module for scanning and defer until a verdict is received).
Egilmez does not explicitly teach the following limitation that Naamneh teaches:
open the application in a laboratory user based on the user (Naamneh, col 7, line 15-20, a proxy container receives the API call determined to be incompatible. Col 8, line 30-40, security module may analyze malicious code in sandbox to observe its behavior and utilize the observations to determine and enhance threat protection measures associated with protecting computing devices against infection when malware containing malicious code is executed outside of sandbox).
Egilmez in view of Naamneh are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “malicious code and application programming interface”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Egilmez in view of Naamneh to include the idea of malware analysis for successful execution of malicious code in a testing environment for observing malware behavior. This may improve the robustness of malware analysis systems by observing the behavior of poorly written malicious code that would otherwise be missed utilizing conventional means.

Regarding Claim 12, Egilmez in view of Naamneh discloses the computer readable storage device of claim 11 wherein the delegated access link is provided to the user via an electronic communication (Egilmez, ¶[0028], communication device 202 may transmit a message with an item that may pose a potential threat to another communication application for recipient 218. If the attachment is safe, it may be reattached through synchronization with recipient’s mailbox maintained by the e-mail service).

Regarding Claim 13, Egilmez in view of Naamneh discloses the computer readable storage device of claim 11 wherein the verdict is selected from a prohibit access to the link verdict that will not permit authorization of the delegated access link, a permit access to the link verdict that will provide authorization, and an unknown verdict (Egilmez, ¶[0034], the safe attachment routing agent may submit messages to the threat assessment routing agent which may submit messages to the threat assessment module for scanning and defer until a verdict is received). 

Regarding Claim 14, Egilmez in view of Naamneh discloses the computer readable storage device of claim 11 wherein activities are monitored based on a security policy (Egilmez, ¶[0033], malware assessment may be stored in a policy object called safe attachment policy). 

Regarding Claim 15, Egilmez discloses a system, comprising: 
a memory device to store a set of instructions (Egilmez, Fig-1); and 
a processor to execute the set of instructions to (Egilmez, Fig-1): 
receive an application via a delegated access link provided to a user (Egilmez, Fig-1, ¶[0025], an email service executed on server may facilitate the exchange of email messages and provide threat protection functionality. ¶[0026], threat protection module may separate the attachment from the message. ¶[0028], communication device 202 may transmit a message with an item that may pose a potential threat to another communication application for recipient 218);
determine a verdict on the delegated access link (Egilmez, ¶[0028], upon separation of the message from the attachment at the threat protection module, the attachment is assessed for threats at the threat protection module); 
if the verdict on the delegated access link is unknown (Egilmez, ¶[0031], message may be routed to a categorizer or malware agent at an email service hub. ¶[0034], the safe attachment routing agent may submit messages to the threat assessment routing agent which may submit messages to the threat assessment module for scanning and defer until a verdict is received): 
monitor activities of the application (Egilmez, ¶[0031]- ¶[0033], message may be routed to a categorizer or malware agent at an email service hub. The forked message may be submitted to a safe attachment routing agent. Malware assessment configuration may be stored in a policy object called safe attachment policy which may include the safe attachment policy and safe attachment rules); and 
assign a verdict on the delegated access link based on whether monitored activities include suspicious activities (Egilmez, ¶[0031], message may be routed to a categorizer or malware agent at an email service hub. ¶[0034], the safe attachment routing agent may submit messages to the threat assessment routing agent which may submit messages to the threat assessment module for scanning and defer until a verdict is received).
Egilmez does not explicitly teach the following limitation that Naamneh teaches:
open the application in a laboratory user based on the user (Naamneh, col 7, line 15-20, a proxy container receives the API call determined to be incompatible. Col 8, line 30-40, security module may analyze malicious code in sandbox to observe its behavior and utilize the observations to determine and enhance threat protection measures associated with protecting computing devices against infection when malware containing malicious code is executed outside of sandbox).
Egilmez in view of Naamneh are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “malicious code and application programming interface”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Egilmez in view of Naamneh to include the idea of malware analysis for successful execution of malicious code in a testing environment for observing malware behavior. This may improve the robustness of malware analysis systems by observing the behavior of poorly written malicious code that would otherwise be missed utilizing conventional means.

Regarding Claim 16, Egilmez in view of Naamneh discloses the system of claim 15 wherein the verdict is assigned to a database and the verdict is determined from the database (Egilmez, ¶[0028], communication device 202 may transmit a message with an item that may pose a potential threat to another communication application for recipient 218. If the attachment is safe, it may be reattached through synchronization with recipient’s mailbox maintained by the e-mail service). 

Regarding Claim 17, Egilmez in view of Naamneh discloses the system of claim 15 wherein the application opened in the laboratory user includes the application consented to by the laboratory user and the application is run (Egilmez, ¶[0034], the safe attachment routing agent may submit messages to the threat assessment routing agent which may submit messages to the threat assessment module for scanning and defer until a verdict is received).

Regarding Claim 18, Egilmez in view of Naamneh discloses the system of claim 15 wherein the user includes a client account in an enterprise identity service to provide delegated access to the application (Egilmez, ¶[0034], the safe attachment routing agent may submit messages to the threat assessment routing agent which may submit messages to the threat assessment module for scanning and defer until a verdict is received). 

Regarding Claim 19, Egilmez in view of Naamneh discloses the system of claim 15 wherein the activities are monitored with a cloud access security broker (Egilmez, ¶[0022], large scale of operations created by networked computing and cloud based services. Also Naamneh, col 14, line 45-60, cloud computing environment may provide various services and applications via the internet).

Regarding Claim 20, Egilmez in view of Naamneh discloses the system of claim 15 included in a cloud-based environment (Egilmez, ¶[0022], large scale of operations created by networked computing and cloud based services. Also Naamneh, col 14, line 45-60, cloud computing environment may provide various services and applications via the internet).

Conclusion
THIS ACTION IS MADE FINAL. See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  Any inquiry concerning this communication or earlier communications from the examiner should be directed to WASIKA NIPA whose telephone number is (571)272-8923.  The examiner can normally be reached on M-F (7:30 - 5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JEFFRY PWU can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/WASIKA NIPA/           Primary Examiner, Art Unit 2433