DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in response to the correspondence filed on 02/26/21.  Claims 1-18 are still pending and have been considered below.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claims 11 and 14 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.
Examiner notes that the instant claims depend upon themselves; thus, are not in proper dependent form.
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 2, 4-10 and 12-18 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Fanton et al. (2006/0150256).
Claim 1:  Fanton et al. discloses a system, comprising:
a processor configured to:
receive an indication of an application to be installed on a local device(installed code modules process creation requests) [page 1, paragraph 0013 | page 8, paragraph 0085];
transmit a request to a remote server for information associated with the application(search global whitelist) [page 12, paragraphs 0115 & 0118-0120];
in response to the receipt of a report, from the remote server, comprising behaviors observed as being taken by an executing copy of the application in a virtualized environment(using behavior analysis in a sandbox to determine if requests should be granted) [page 9, paragraph 0092], implement, at the local device, a set of rules restricting behaviors of the application installed on the local device(control flow continues to “yes” or “no” path) [page 10, paragraphs 0097-0098]; and
a memory coupled to the processor and configured to provide the processor with instructions [page 8, paragraphs 0077-0078].
Claim 2:  Fanton et al. discloses the system of claim 1 wherein the processor is further configured to detect an attempt by the application to take an action that would violate the set of rules(monitor and deny any attempted execution of unapproved code modules) [page 7, paragraph 0069 | pages 9-10, paragraph 0095].
Claim 4:  Fanton et al. discloses the system of claim 2 wherein the processor is further configured to report the attempt to a user of the local device(notify user) [page 7, paragraph 0069 | pages 9-10, paragraph 0095].
Claim 5:  Fanton et al. discloses the system of claim 2 wherein the processor is further configured to report the attempt to the remote server(if request is denied or granted, associated information is recorded and transmitted) [page 10, paragraphs 0101-0102].
Claim 6:  Fanton et al. discloses the system of claim 5 wherein, in response to receiving the report, the remote server performs an evaluation of the application(determine whether or not to remove the unauthorized code from the system) [page 9, paragraphs 0090-0091].
Claim 7:  Fanton et al. discloses the system of claim 1 wherein the set of rules restricts the application to behaviors observed during an execution of the application in a virtualized environment(run options) [page 5, paragraph 0050 | page 6, paragraph 0058].
Claim 8:  Fanton et al. discloses the system of claim 1 wherein the remote server is configured to evaluate an updated version of the application in response to receiving an indication that the application has been updated(invalidate/remove entries for any particular files which have been modified/altered to preclude being authenticated based on the MRU cache; thus, requiring a recalculation/reevaluation of the content authenticator associated with the code module) [page 6, paragraph 0055 | page 7, paragraph 0066].
Claim 9:  Fanton et al. discloses a method, comprising:
receiving an indication of an application to be installed on a local device [page 1, paragraph 0013 | page 8, paragraph 0085];
transmitting a request to a remote server for information associated with the application [page 12, paragraphs 0115 & 0118-0120]; and
in response to the receipt of a report, from the remote server, comprising behaviors observed as being taken by an executing copy of the application in a virtualized environment, implementing [page 9, paragraph 0092], at the local device, a set of rules restricting behaviors of the application [page 10, paragraphs 0097-0098].
Claim 10:  Fanton et al. discloses the method of claim 10 further comprising detecting an attempt by the application to take an action that would violate the set of rules [page 7, paragraph 0069 | pages 9-10, paragraph 0095].
Claim 12:  Fanton et al. discloses the method of claim 11 further comprising reporting the attempt to a user of the local device [page 7, paragraph 0069 | pages 9-10, paragraph 0095].
Claim 13:  Fanton et al. discloses the method of claim 11 further comprising reporting the attempt to the remote server [page 10, paragraphs 0101-0102].
Claim 14:  Fanton et al. discloses the method of claim 14 wherein, in response to receiving the report, the remote server performs an evaluation of the application [page 9, paragraphs 0090-0091].
Claim 15:  Fanton et al. discloses the method of claim 10 wherein the set of rules restricts the application to behaviors observed during an execution of the application in a virtualized environment [page 5, paragraph 0050 | page 6, paragraph 0058].
Claim 16:  Fanton et al. discloses the method of claim 10 wherein the remote server is configured to evaluate an updated version of the application in response to receiving an indication that the application has been updated [page 6, paragraph 0055 | page 7, paragraph 0066].
Claim 17:  Fanton et al. discloses a system, comprising:
a processor configured to:
receive an indication of an application to be installed on a local device [page 1, paragraph 0013 | page 8, paragraph 0085];
transmit a request to a remote server for information associated with the application [page 12, paragraphs 0115 & 0118-0120];
in response to receiving an indication from the remote server that the application is determined to be malicious [page 9, paragraph 0092], prevent the installation of the application on the local device [page 10, paragraphs 0097-0098]; and
a memory coupled to the processor and configured to provide the processor with instructions [page 8, paragraphs 0077-0078].
Claim 18:  Fanton et al. discloses a method, comprising:
receiving an indication of an application to be installed on a local device [page 1, paragraph 0013 | page 8, paragraph 0085];
transmitting a request to a remote server for information associated with the application [page 12, paragraphs 0115 & 0118-0120]; and
in response to receiving an indication from the remote server that the application is determined to be malicious [page 9, paragraph 0092], preventing the installation of the application on the local device [page 10, paragraphs 0097-0098].

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 3 and 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fanton et al. (2006/0150256) in view of Ghosh et al. (2013/0145463).
Claim 3:  Fanton et al. discloses the system of claim 2 but does not explicitly disclose wherein the set of rules comprises a whitelisted set of behaviors observed at the remote server during emulation of the application in a virtualized environment and wherein an attempt by the application while executing on the local device to take an action not included in the whitelisted set of behaviors constitutes a rule violation.
However, Ghosh et al. discloses a similar invention [page 1, paragraph 0005] and further discloses wherein the set of rules comprises a whitelisted set of behaviors observed at the remote server during emulation of the application in a virtualized environment and wherein an attempt by the application while executing on the local device to take an action not included in the whitelisted set of behaviors constitutes a rule violation(define whitelisted rules by monitoring in a sandbox to form a set of rules associated with an application, process and/or service that defines allowed behavior which is used to determine whether a behavior is associated with an infection) [pages 4-5, paragraph 0042 | page 6, paragraph 0052 | page 7, paragraph 0058].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the disclosure of Fanton et al. with the additional features of Ghosh et al., in order to protect against previously unknown threats by monitoring software behavior, as suggested by Ghosh et al. [page 1, paragraphs 0003-0004].
Claim 11:  Fanton et al. discloses the method of claim 11 but does not explicitly disclose wherein the set of rules comprises a whitelisted set of behaviors observed at the remote server during emulation of the application in a virtualized environment and wherein an attempt by the application while executing on the local device to take an action not included in the whitelisted set of behaviors constitutes a rule violation.
However, Ghosh et al. discloses a similar invention [page 1, paragraph 0005] and further discloses wherein the set of rules comprises a whitelisted set of behaviors observed at the remote server during emulation of the application in a virtualized environment and wherein an attempt by the application while executing on the local device to take an action not included in the whitelisted set of behaviors constitutes a rule violation [pages 4-5, paragraph 0042 | page 6, paragraph 0052 | page 7, paragraph 0058].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify the disclosure of Fanton et al. with the additional features of Ghosh et al., in order to protect against previously unknown threats by monitoring software behavior, as suggested by Ghosh et al. [page 1, paragraphs 0003-0004].

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-26 of U.S. Patent No. 10,963,565 in view of Fanton et al. (2006/0150256).
Although the claims at issue are not identical, they are not patentably distinct from each other because both inventions are directed to a substantially similar technique for determining a set of rules for an application by observing behaviors of the application when executed in an instrumented environment; and only differing in that the instant claims further specify that the instrumented environment is a virtualized environment.
However, Fanton et al. discloses a similar invention, as discussed above, and goes on to disclose that the instrumented environment is specifically a virtualized environment [page 9, paragraph 0092].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further modify patented claims with the additional features of Fanton et al., in order to more effectively detect malicious software while still allowing authorized code to execute, as suggested by Fanton et al. [page 1, paragraphs 0008-0009]; thus, arriving at patented claims which are not patently distinct from the instant claims and properly rejected on the grounds of nonstatutory double patenting.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Sandke et al. (2015/0237068).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD ZEE whose telephone number is (571)270-1686. The examiner can normally be reached Monday-Friday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571)272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/EDWARD ZEE/Primary Examiner, Art Unit 2435