DETAILED ACTION
In replay to applicant communication filed on December 21, 2020 and telephonic interview conducted on September 09, 2022, claims 1, 3-13, and 15-20 have been amended. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 2 and 14 have been cancelled.
Claims 21-23 have been added.
Claims 1, 3-13, and 15-23 are pending.


EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with applicant representative, Tam Thanh Pham (Reg. No. 50,565) on September 09, 2022. 

Please replace the claim set filed on December 21, 2020 with the following claims:

1. (currently amended) A method for detecting malicious content, the method comprising:
receiving data at a sandbox device, wherein the data is received from a separate firewall device after the separate firewall device receives the data from a sender device, a first portion of the data being sent to a destination device while holding a second portion of the data at the firewall device until at least after an observation of the data at the sandbox device;
observing that a first action is performed when instructions included in the received data are executed at the sandbox device;
identifying that the first action is suspicious and includes reorganizing at least a portion of the received data;
observing an additional action performed when instructions included in the reorganized data portion are executed at the sandbox device, wherein the additional action includes accessing an inappropriate data storage location; 
identifying that the additional action is classified as malicious; and
performing a second action based on the additional action being classified as malicious, 

2. (cancelled)

3. (currently amended) The method of claim 1, further comprising

4. (previously presented) The method of claim 1, further comprising: 
identifying an attribute associated with the received data; and
storing the attribute associated with the received data.

5. (previously presented) The method of claim 1, further comprising: 
generating a signature from the received data; and
storing the signature at a deep packet inspection data store. 

6. (previously presented) The method of claim 1, wherein the first action includes intercepting a basic input/output (BIOS) instruction.

7. (currently amended) The method of claim [[2]] 1, wherein 

8. (currently amended)  The method of claim [[2]] 1, wherein the first action includes de-obfuscating the additional instructions included in the received data 

9. (currently amended) The method of claim 1, wherein the additional action or the second action includes preparing to transmit data from the sandbox device.

10. (currently amended) The method of claim 1, further comprising:
receiving a second set of data at the sandbox device, wherein the second set of data is received from the separate firewall device after the separate firewall device receives the second set of data;
observing one or more actions performed when instructions included in the second set of received data are executed; and
performing a deep packet inspection (DPI) scan on the second set of data while observing the one or more actions performed when the instructions included in the second set of received data are executed.

11. (previously presented) The method of claim 10, wherein the one or more actions are observed while the DPI scan is performed based on the sandbox device being a multi-processor platform.

12. (previously presented) The method of claim 10, further comprising:
identifying based on the observing of the one or more performed actions that the second set of data includes malicious instructions;
storing a signature generated from the second set of data;
generating a second signature from a third set of received data;
identifying that the signature matches the second signature; and
identifying that the third set of data includes the malicious instructions based on the signature matching the second signature.

13. (currently amended) A non-transitory computer-readable storage medium having embodied thereon a program executable by a processor for implementing a method for detecting malicious content, the method comprising:
receiving data at a sandbox device, wherein the data is received from a separate firewall device after the separate firewall device receives the data from a sender device, a first portion of the data being sent to a destination device while holding a second portion of the data at the firewall device until at least after an observation of the data at the sandbox device;
observing that a first action is performed when instructions included in the received data are executed at the sandbox device;
identifying that the first action is suspicious and includes reorganizing at least a portion of the received data;
observing an additional action performed when instructions included in the reorganized data portion are executed at the sandbox device, wherein the additional action includes accessing an inappropriate data storage location; 
identifying that the additional action is classified as malicious; and
performing a second action based on the additional action being classified as malicious, 

14. (cancelled) 

15. (currently amended) The non-transitory computer-readable storage medium of claim 13, the program is further executable to

16. (previously presented) The method of claim 13, further comprising: 
identifying an attribute associated with the received data; and
storing the attribute associated with the received data.

17. (previously presented) The method of claim 13, further comprising: 
generating a signature from the received data; and
storing the signature at a deep packet inspection data store. 

18. (previously presented) The non-transitory computer-readable storage medium of claim 13, wherein the first action includes intercepting a basic input/output (BIOS) instruction.

19. (currently amended) The non-transitory computer-readable storage medium of claim [[14]] 13, wherein 

20. (currently amended) A system for detecting malicious content, the system comprising:
a firewall device that:
receives a data set based on information received from a destination device;
sends the data set for analysis,
sends a first portion of the data set to the destination device, and
holds a second portion of the data set at the firewall device without immediately sending the second portion of the data set to the destination device; and
a sandbox device that is separate from the firewall device, wherein the sandbox device:
receives the data set from the firewall device,
performs the analysis,
observes that a first action is performed when instructions included in the first data set are executed based on the analysis, [[and]]
identifies that the first action is suspicious and includes reorganizing at least a portion of the received data, 
observes that an additional action is performed when instructions included in the reorganized data portion are executed at the sandbox device, wherein the additional action includes accessing an inappropriate data storage location, 
identifies that the additional action is classified as malicious, and 
performs a second action based on the additional action being classified as malicious, wherein the second action occurs after the observation of the data at the sandbox device. 

21. (new) The system of claim 20, wherein the sandbox device further: 
identifies an attribute associated with the received data; and
stores the attribute associated with the received data.

22. (new) The system of claim 20, wherein the sandbox device further:
generates a signature from the received data; and
stores the signature at a deep packet inspection data store.
23. (new) The system of claim 20, wherein the first action includes intercepting a basic input/output (BIOS) instruction.

Allowable Subject Matter
Claims 1, 3-13, and 15-23 are allowed. The following is an examiner’s statement of reasons for allowance:
The primary reason for allowance of the independent claims are the combined limitations of receiving data at a sandbox device, wherein the data is received from a separate firewall device after the separate firewall device receives the data from a sender device, a first portion of the data being sent to a destination device while holding a second portion of the data at the firewall device until at least after an observation of the data at the sandbox device; observing that a first action is performed when instructions included in the received data are executed at the sandbox device; identifying that the first action is suspicious and includes reorganizing at least a portion of the received data; observing an additional action performed when instructions included in the reorganized data portion are executed at the sandbox device, wherein the additional action includes accessing an inappropriate data storage location; identifying that the additional action is classified as malicious; and performing a second action based on the additional action being classified as malicious, wherein the second action occurs after the observation of the data at the sandbox device.

The prior art disclosed by Raz (US Pub. No. 2010/0269171) and Marinescu (US Pub. No. 2006/0224724) are found as the closest prior arts to the claimed features of the invention. Raz discloses the system and method for effective network-security inspection in virtualized environments. In addition, Marinescu discloses the system and method for identifying malware at a network transit point such as a computer that serves as a gateway to an internal or private network. However, the cited arts fail to teach the limitations disclosed above. The dependent claims are allowed as per dependency nature of the allowed independent claims. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434