DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are pending.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
 (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Bryzgin (US 20220070219).

Claim 1, Bryzgin discloses A computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of: 
identifying one or more environmental variables of a virtual compute instance used by malware to detect a presence of a sandbox; (e.g. ¶13, 15-17, 20, 47: identifying at least one artifact of a sandbox environment used by malware application to detect the sandbox environment)
storing sandbox configuration information including the one or more environmental variables at a threat management facility; (e.g. fig. 1, ¶20, 58: storing the at least one artifact to an artifact database at an analysis and update server)
distributing the sandbox configuration information to a local security agent on an endpoint in an enterprise network; and (e.g. figs. 1-2, ¶14, 22, 51, 54-55, 63: transmitting to a computer system at least one artifact of a sandbox environment to be installed in the computer system for simulating the sandbox environment)
causing the endpoint to present the one or more environmental variables from the sandbox configuration information in a computing environment on the endpoint when executing computer code. (e.g. figs. 1-2, ¶14, 55, 64: installing the at least one artifact of the sandbox environment into the computer system to simulate the sandbox environment when executing an application)

Claim 2, Bryzgin discloses The computer program product of claim 1, wherein the endpoint is a virtual machine executing on a cloud computing resource.  (e.g. fig. 1, ¶50-51, 53-55)

Claim 3, Bryzgin discloses The computer program product of claim 2, wherein the threat management facility is hosted outside the cloud computing resource. (e.g. fig. 1, ¶50-52)

Claim 4, Bryzgin discloses The computer program product of claim 1, wherein the sandbox configuration information includes an application programming interface for a sandbox environment.  (e.g. ¶13, 15-17, 47)

Claim 5, Bryzgin discloses The computer program product of claim 1, further comprising code that performs the step of updating the sandbox configuration information based on behavior of the malware detected within a sandbox environment.  (e.g. ¶13, 111-118)

Claim 6, Bryzgin discloses A method comprising: Page 47 of 51EFS-WebPATENTS SPHS-0140-PO1 
storing sandbox configuration information including one or more features of a virtual compute instance used by malware to detect a presence of a sandbox; (e.g. fig. 1, ¶20, 58: storing the at least one artifact to an artifact database at an analysis and update server)
distributing the sandbox configuration information to an endpoint in an enterprise network; and (e.g. figs. 1-2, ¶14, 22, 51, 54-55, 63: transmitting to a computer system at least one artifact of a sandbox environment to be installed in the computer system for simulating the sandbox environment)
causing the endpoint to present the one or more features from the sandbox configuration information in a computing environment when executing computer code. (e.g. figs. 1-2, ¶14, 55, 64: installing the at least one artifact of the sandbox environment into the computer system to simulate the sandbox environment when executing an application)

Claim 7, Bryzgin discloses The method of claim 6, further comprising identifying the one or more features of the virtual compute instance used by the malware to detect the presence of the sandbox by executing the computer code in a sandbox environment to detect sandbox detection activity.  (e.g. ¶13, 15-17, 20, 47)

Claim 8, Bryzgin discloses The method of claim 6, further comprising identifying the one or more features of the virtual compute instance used by the malware to detect the presence of the sandbox by executing the computer code in a sandbox environment to detect behavior indicative of sandbox evasion.  (e.g. ¶13, 15-17, 20, 47)

Claim 9, Bryzgin discloses The method of claim 6, further comprising updating the sandbox configuration information in response to identifying a new malware sandbox detection exploit.  (e.g. ¶13, 111-118)

Claim 10, Bryzgin discloses The method of claim 6, further comprising conditionally causing the endpoint to present the one or more features when the computer code has a low or unknown reputation. (e.g. ¶32, 45, 110)

Claim 11, Bryzgin discloses The method of claim 6, further comprising conditionally causing the endpoint to present the one or more features unless the computer code is from a whitelist of known, safe executables. (e.g. ¶32, 45, 110)

Claim 12, Bryzgin discloses The method of claim 6, wherein the one or more features includes an environmental variable for a sandbox environment. (e.g. ¶13, 15-17, 47)

Claim 13, Bryzgin discloses The method of claim 6, wherein the one or more features includes an application programming interface for a sandbox environment. (e.g. ¶13, 15-17, 47)

Claim 14, Bryzgin discloses The method of claim 6, further comprising distributing the sandbox configuration information to a security sandbox system, and causing the security sandbox system to hide the one or more features from the sandbox configuration information in a sandbox environment created by the security sandbox system, thereby encouraging a malware sample using a corresponding detection technique to deploy within the sandbox environment.  (e.g. figs. 1-2, ¶55, 64-67)

Claim 15, Bryzgin discloses A system comprising: 
a threat management facility including a database storing sandbox configuration information including one or more features of a virtual compute instance used by malware to detect a presence of a sandbox, (e.g. fig. 1, ¶20, 58: storing the at least one artifact to an artifact database at an analysis and update server) the threat management facility including a processor and a memory storing computer executable code configured to distribute the sandbox configuration information to an endpoint in an enterprise network; and (e.g. figs. 1-2, ¶14, 22, 51, 54-55, 63: transmitting to a computer system at least one artifact of a sandbox environment to be installed in the computer system for simulating the sandbox environment)
a local security agent executing on the endpoint, the local security agent causing the endpoint to present the one or more features from the sandbox configuration information in a computing environment when executing computer code.   (e.g. figs. 1-2, ¶14, 55, 64: installing the at least one artifact of the sandbox environment into the computer system to simulate the sandbox environment when executing an application)

Claim 16, this claim is rejected for similar reasons as in claim 7 or 8.

Claim 17, this claim is rejected for similar reasons as in claim 9.

Claim 18, this claim is rejected for similar reasons as in claim 10.

Claim 19, this claim is rejected for similar reasons as in claim 11.

Claim 20, this claim is rejected for similar reasons as in claim 12 or 13.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 20170132411 discloses [0003] However, some malicious programs may try to evade virtual environment testing by attempting to detect whether the program is executing within a virtual environment. For example, the program may attempt to call certain functions or access certain data structures indicative of a virtual operating environment. If the program detects that it is executing within a virtual environment, the program may behave in a benign manner and thus escape detection. When the program is released and executed within the normal operating system of a computing device, the program may then act maliciously. [0019] In overview, various embodiments provide systems and methods for analyzing a program executing within a virtual environment on a computing device. Various embodiments may include determining whether the program is executing operations that indicated the program is attempting to detect whether it is being executed within the virtual environment. [0029] The malicious program 206 may attempt to discover whether it is executing within a virtual environment 204, such as by attempting to call certain functions or access certain data structures in the API 208. Certain return values from the called functions or data structures of the API 208 may confirm that the program 206 is executing within the virtual environment 204. Therefore in various embodiments, the virtual environment 204 or the operating system 202 may be configured to monitor operations and behaviors of the program 206 within the virtual environment 204 to determine whether the program 206 is calling certain functions or accessing certain data structures in the API 208 in an attempt to discover whether it is executing within the virtual environment 204. There are several types of functions and/or data structures that a malicious program 206 might execute or attempt to access in an effort to detect a virtual environment, and that the virtual environment 204 may be configured to detect. [0040] In block 402, the processor may analyze a program executing within a virtual environment on the computing device. The program may be potential malware or any other unknown program, and the processor may be analyzing the program to determine whether or not it is malicious. [0041] In block 404, the processor may monitor attempted accesses by the program to certain APIs and data structures that could reveal properties of the virtual environment. Attempts by the program to access such API and/or data structure properties may indicate that the program is attempting to detect whether the program is being executed within a virtual environment. A non-limiting example of an API property that may be monitored in block 404 is a model specific register (which is valid on a quick emulator (QEMU) simulator but returns an exception when called in the actual computing device). Another non-limiting example of an API property that may be monitored in block 404 is a length of an instruction (which may be arbitrarily long in a virtual environment). Another non-limiting example of an API property that may be monitored in block 404 is a store interrupt descriptor table register (the base address may be different in a virtual environment and may also exceed a certain function). Another non-limiting example of an API property that may be monitored in block 404 is a debugger function (e.g., IsDebuggerPresent( ) or CheckRemoteDebuggerPresent( ). Another non-limiting example of an API property that may be monitored in block 404 is an IN/OUT instruction used for host-guest communication. Another non-limiting example of an API property that may be monitored in block 404 is illegal opcode handling used for host-guest communication. [0042] In determination block 406, the processor may determine from the monitored behaviors whether the program is attempting to discover whether it is being executed within the virtual environment. For example, the processor may determine that the program is attempting to access the monitored API that could reveal properties unique to virtual environments.


US 20210200859 discloses [0039] Responsive to determining that endpoint device 106 has potentially been infected by software-evading malware, endpoint security solution 110 may transmit a file associated with sandbox-evading malware from endpoint device 106 to security platform 112 running sandbox service 102 along with contextual information related to the file, captured by the endpoint security solution 110. In one implementation, security platform 112 may be a cloud-based network security service running sandbox service 102, which can be implemented as a physical or virtual sandbox appliance. In alternative embodiments, the sandbox service 102 may be provided by a sandbox appliance residing in the enterprise network in the form of on-premises equipment. [0040] According to an embodiment, sandbox service 102 receives the file associated with the sandbox-evading malware from endpoint security solution 110 running on endpoint device 106, and a corresponding set of contextual information related to the file. Sandbox service 102 classifies the file as being malware by detonating the sandbox-evading malware. The detonation is done by performing sandboxing on the file including emulating an environment of the endpoint device 106 based on the provide contextual information.

US 20170041338 discloses [0042] In example where different devices monitor the execution of a software application, each device may use the same, or some of the same, signatures to test the software application. For example, a set of signatures may be developed to detect a particular unwanted toolbar application. These signatures may be used in dynamic tests such as monitoring the user preferences of a web browser and static testing such as examining the toolbar application to see if it contains a class known or believed to be common to unwanted toolbars. These signatures may be used by any kind of computing device (e.g., a network computing device, a client device, a device hosting a sandbox) monitoring the execution of a software application. [0043] In addition or alternatively, some but not all of the devices may use different rules, even if those devices are all administered by the same organization. For example, a suite of sandbox-specific signatures crafted to catch behavior of applications attempting to escape a sandbox. Example behaviors include, but are not limited to return-oriented programming, writing to memory locations outside of a permitted range, and attempting to escalate execution privileges. Devices that run applications in a sandbox environment may be given these signature while, optionally, devices that don't run applications in a sandbox may not. Other suites of signatures like this can include, but are not limited to, operating system specific signatures, hardware specific signatures, or user specific signatures. In addition to feature-specific signatures, devices may also use universal suites of signatures that can be use universally (e.g. for every device under a particular administration, on a network, or otherwise logically grouped).

US 20170111374 discloses static analysis is applied to unrecognized software objects in order to identify and address potential anti-sandboxing techniques. Where static analysis suggests the presence of any such corresponding code, the software object may be forwarded to a sandbox for further analysis. In another aspect, multiple types of sandboxes may be provided, with the type being selected according to the type of exploit suggested by the static analysis.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:00 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436