Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 8/1/2022 has been entered.

Response to Arguments
In communications filed on 7/15/2022, claims 20-39 are presented for examination. Claims 20, 30, and 39 are independent.
Amended claim(s): 20-22, 26, 28-32, 36, 38, and 39.
Applicants’ arguments, see Applicant Arguments/Remarks filed 7/15/22, with respect to claim(s) rejected under 35 USC 112(a) have been fully considered and are persuasive in view of amendments to the claims. The rejection is withdrawn. 
Applicants’ arguments, see Applicant Arguments/Remarks filed 7/15/22, with respect to claim(s) 21, 22, 31, 32 rejected under 35 USC 112(b) have been fully considered and are persuasive. 
Applicants’ arguments, see Applicant Arguments/Remarks filed 7/15/22, with respect to claim(s) rejected under prior art have been fully considered and are unpersuasive. Cited art of record Bansal (US 10339011 B1) teaches taking snapshots of VMs in various states including powered off (i.e., rest) state (Bansal: col.4:65 to col.5:5). Contrary to Applicant’s argument, Derbeko explicitly discloses detecting malware i.e., vulnerabilities, by analyzing the snapshots at various points in time (Derbeko: Fig. 6, Abstract, col. 5:46 to col. 6:23, col. 7:25-41). The combination of cited references teaches the claimed invention.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 20-23, 25-33, and 35-39 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 20130262801 A1 (hereinafter ‘Sancheti’) in view of US 10339011 B1 (hereinafter ‘Bansal’) in view of US 10536471 B1 (hereinafter ‘Derbeko’).

As regards claim 20, Sancheti (US 20130262801 A1) discloses: A system for inspecting data, the system comprising (Sancheti: Abstract): at least one processor configured to: establish an interface between a client environment and security components; (Sancheti: Figs. 1A-1B, 2, ¶29-¶43, i.e., interface and APIs are provided to clients to connect to cloud system providing virtual machines to multiple clients, wherein the interfaces and APIs provide various management service to manage the VMs)
using the interface, utilize cloud computing platform APIs to identify virtual disks of a virtual machine in the client environment; (Sancheti: Figs. 1A-1B, 2, ¶29-¶43, i.e., interface and APIs are provided to access and identify the virtual disks/LUNs and associated VMs)
use the computing platform APIs to query a location of at least one of the identified virtual disks; (Snacheti: Figs. 1A-1B, 2, 4, ¶29-¶43, i.e., interface and APIs are provided to access and identify the virtual disks/LUNs and associated VMs, wherein, ¶93-¶96, i.e., APIs are provided to locate the VMs and associated disks and to take snapshots)
receive an identification of the location of the virtual disks of the virtual machine; (Snacheti: Figs. 1A-1B, 2, 4, ¶29-¶43, i.e., interface and APIs are provided to access and identify the virtual disks/LUNs and associated VMs, wherein, ¶93-¶96, i.e., APIs are provided to locate the VMs and associated disks and to take snapshots)
perform at least one of taking a snapshot of the virtual machine…, or requesting the snapshot of the virtual machine at rest, wherein the snapshot represents a copy of the cirtual disks of the virtual machine at a point in time; (Snacheti: Figs. 1A-1B, 2, 4, ¶29-¶43, i.e., interface and APIs are provided to access and identify the virtual disks/LUNs and associated VMs, wherein, ¶93-¶96, i.e., APIs are provided to locate the VMs and associated disks and to take snapshots)
However, Snacheti does not explicitly disclose the snapshot is taken at rest.
Bansal in analogous art teaches (see Bansal: col.4:65 to col.5:5) taking snapshots of VMS, including the virtual disks associated with the VMs, at various states of the VM including when the VM/virtual disks is powered-off (i.e., at rest. Note: Per Applicant’s disclosure ¶11, rest state is when the VM is powered off). 
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Snacheti to include taking snapshots of VMS, including the virtual disks associated with the VMs, at various states of the VM including when the VM is powered-off (i.e., at rest) as taught by Bansal with the motivation to ensure data lossless backups of VMs (Bansal: Abstract)
Snacheti discloses analyzing the snapshots (Snacheti: ¶77), however, Snacheti does not but in analogous art Derbeko (US 10536471 B1) teaches: analyze the snapshot to detect vulnerabilities; and (Derbeko: Fig. 6, Abstract, col. 5:46 to col. 6:23, col. 7:25-41, i.e., detecting malware i.e., vulnerabilities, by analyzing the snapshots at various points in time)
report the detected vulnerabilities as alerts. (Derbeko: col. 4:10-23, i.e., reporting the vulnerability to an operator)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Snacheti to include analyzing snapshots for malware/vulnerabilities and to alert operators if any malware/vulnerabilities are found as taught by Derboko with the motivation to determine if anaomalies exists in VMs (Derbeko: Abstract) 

As regards claim 30, Sancheti (US 20130262801 A1) discloses: A computer-implemented method for inspecting data, the method comprising: establishing an interface between a client environment and security components; (Sancheti: Figs. 1A-1B, 2, ¶29-¶43, i.e., interface and APIs are provided to clients to connect to cloud system providing virtual machines to multiple clients, wherein the interfaces and APIs provide various management service to manage the VMs)
using the interface to utilize cloud computing platform APIs to identify virtual disks of a virtual machine in the client environment; (Sancheti: Figs. 1A-1B, 2, ¶29-¶43, i.e., interface and APIs are provided to access and identify the virtual disks/LUNs and associated VMs)
using the computing platform APIs to query a location of at least one of the identified virtual disks; (Snacheti: Figs. 1A-1B, 2, 4, ¶29-¶43, i.e., interface and APIs are provided to access and identify the virtual disks/LUNs and associated VMs, wherein, ¶93-¶96, i.e., APIs are provided to locate the VMs and associated disks and to take snapshots)
receiving an identification of the location of the virtual disks of the virtual machine; (Snacheti: Figs. 1A-1B, 2, 4, ¶29-¶43, i.e., interface and APIs are provided to access and identify the virtual disks/LUNs and associated VMs, wherein, ¶93-¶96, i.e., APIs are provided to locate the VMs and associated disks and to take snapshots)
emulating the virtual disks for the virtual machine; (Snacheti: Figs. 1A-1B, 2, 4, ¶29-¶43, i.e., interface and APIs are provided to access and identify the virtual disks/LUNs and associated VMs and executing (i.e., emulating) the VMs and associated VDs, wherein, ¶93-¶96, i.e., APIs are provided to locate the VMs and associated disks and to take snapshots)
performing at least one of taking a snapshot of the virtual machine…, or requesting the snapshot of the virtual machine…, wherein the snapshot represents a copy of the virtual disks of the virtual machine at a point in time; (Snacheti: Figs. 1A-1B, 2, 4, ¶29-¶43, i.e., interface and APIs are provided to access and identify the virtual disks/LUNs and associated VMs, wherein, ¶93-¶96, i.e., APIs are provided to locate the VMs and associated disks and to take snapshots)
However, Snacheti does not explicitly disclose the snapshot is taken at rest.
Bansal in analogous art teaches (see Bansal: col.4:65 to col.5:5) taking snapshots of VMS, including the virtual disks associated with the VMs, at various states of the VM including when the VM is powered-off (i.e., at rest. Note: Per Applicant’s disclosure ¶11, rest state is when the VM is powered off). 
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Snacheti to include taking snapshots of VMS, including the virtual disks associated with the VMs, at various states of the VM including when the VM is powered-off (i.e., at rest) as taught by Bansal with the motivation to ensure data lossless backups of VMs (Bansal: Abstract)  
Snacheti discloses analyzing the snapshots (Snacheti: ¶77), however, Snacheti does not but in analogous art Derbeko (US 10536471 B1) teaches: analyzing the snapshot to detect vulnerabilities; and (Derbeko: Fig. 6, Abstract, col. 5:46 to col. 6:23, col. 7:25-41, i.e., detecting malware i.e., vulnerabilities, by analyzing the snapshots at various points in time.)
reporting the detected vulnerabilities as alerts. (Derbeko: col. 4:10-23, i.e., reporting the vulnerability to an operator if malware detected in the snapshot)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Snacheti to include analyzing snapshots for malware/vulnerabilities and to alert operators if any malware/vulnerabilities are found as taught by Derboko with the motivation to determine if anaomalies exists in VMs (Derbeko: Abstract) 

Claim 39 recites substantially the same features recited in claim 30 above and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 21, Sancheti et al combination discloses the system of claim 20, wherein during the analysis of the snapshot, the virtual machine is inactive. (Derbeko: col. 4:35-54, i.e., analyzing the snapshot in isolation when VM is not running as well as analyzing the snapshot during VM runtime to detect malware causing changes to memory)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Snacheti to include analyzing snapshots for malware/vulnerabilities and to alert operators if any malware/vulnerabilities are found as taught by Derboko with the motivation to determine if anaomalies exists in VMs (Derbeko: Abstract) 

Claim 31 recites substantially the same features recited in claim 21 above and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 22, Sancheti et al combination discloses the system of claim 20, wherein during the analysis of the snapshot, the virtual machine is active. (Derbeko: col. 4:35-54, i.e., analyzing the snapshot in isolation when VM is not running as well as analyzing the snapshot during VM runtime to detect malware causing changes to memory)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Snacheti to include analyzing snapshots for malware/vulnerabilities and to alert operators if any malware/vulnerabilities are found as taught by Derboko with the motivation to determine if anaomalies exists in VMs (Derbeko: Abstract)

Claim 32 recites substantially the same features recited in claim 22 above and is rejected based on the aforementioned rationale discussed in the rejection. 

As regards claim 23, Sancheti et al combination discloses the system of claim 20, wherein reporting the detected vulnerabilities as alerts includes indicating priority levels associated with the detected vulnerabilities. (Derbeko: col. 1:40-50, col.4:1-23, col.6:9-24, i.e., detecting threshold level of suspicious/malware of the snapshot) 
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Snacheti to include analyzing snapshots for malware/vulnerabilities and to alert operators if any malware/vulnerabilities are found as taught by Derboko with the motivation to determine if anaomalies exists in VMs (Derbeko: Abstract) 

Claim 33 recites substantially the same features recited in claim 23 above and is rejected based on the aforementioned rationale discussed in the rejection. 

As regards claim 25, Sancheti et al combination discloses the system of claim 20, wherein the identification of the location of the virtual disks of the virtual machine includes a virtual address of at least one of the virtual disks.(Sancheti: ¶35)

Claim 35 recites substantially the same features recited in claim 25 above and is rejected based on the aforementioned rationale discussed in the rejection. 

As regards claim 26, Sancheti et al combination discloses the system of claim 20, wherein the snapshot includes a change log of at least one of the virtual disks configured to restore the virtual machine to a particular point in time. (Snacheti: Abtract, Figs. 6A-6B, ¶76)

Claim 36 recites substantially the same features recited in claim 26 above and is rejected based on the aforementioned rationale discussed in the rejection. 

As regards claim 27, Sancheti et al combination discloses the system of claim 20, wherein the snapshot includes a page file of memory associated with the virtual machine, the page file being configured to allow deduction of one or more applications running on the virtual machine. (Derbeko: col. 4:35-54, i.e., analyzing memory of the VM snapshot to detect a malware causing changes to memory)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Snacheti to include analyzing snapshots for malware/vulnerabilities and to alert operators if any malware/vulnerabilities are found as taught by Derboko with the motivation to determine if anaomalies exists in VMs (Derbeko: Abstract) 

Claim 37 recites substantially the same features recited in claim 27 above and is rejected based on the aforementioned rationale discussed in the rejection. 

As regards claim 28, Sancheti et al combination discloses the system of claim 20, wherein the snapshot includes a plurality of snapshots, and the at least one processor is configured to generate the plurality of snapshots according to a predetermined schedule. (Sancheti: ¶52, ¶81-¶84. See also, Derbeko: Col. 6:1-23)

Claim 38 recites substantially the same features recited in claim 28 above and is rejected based on the aforementioned rationale discussed in the rejection. 

As regards claim 29, Sancheti et al combination discloses the system of claim 20, wherein the at least one processor is configured to generate the at least one snapshot in response to a predetermined trigger event. (Sancheti: ¶52, ¶81-¶84. See also, Derbeko: Col. 6:1-23)

Claim 24, 34 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sancheti in view of Derbeko in view of US 20080263658 A1 (hereinafter ‘Michael’).

As regards claim 24, Sancheti et al combination discloses the system of claim 20. However Sancheti et al do not but in analogous art, Michael (US 20080263658 A1) teaches: wherein the at least one processor is further configured to implement a remedial action for at least one of the detected vulnerabilities. (Michael: Fig. 6, ¶60-¶63, i.e., scanning virtual images (i.e., snapshots) of a VM iteratively until an image is found to be malware free and restoring the VM with the malware free image)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Snacheti et al to include scanning virtual images (i.e., snapshots) of a VM iteratively until an image is found to be malware free and restoring the VM with the malware free image as taught by Michael with the motivation to restoring a VM to a snapshot that is malware free (Michael: ¶9-¶10)  

Claim 34 recites substantially the same features recited in claim 24 above and is rejected based on the aforementioned rationale discussed in the rejection. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995. The examiner can normally be reached Monday-Thursday: 5:30AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SYED A ZAIDI/Primary Examiner, Art Unit 2432