DETAILED ACTION
 	Claims 1-20 are pending. This is in response to the application filed on June 22, 2020.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the system recites the malware analysis performed in a virtual container implying the system can be a virtual machine. Hence, the processing components and the memory components are interpreted as software components.
Claims 2-16 are rejected as being dependent to claim 1.
Claim 20 recites a computer program product which is not defined as hardware. Therefore, the claim is also rejected for not eligible as one of the four eligible subject matter.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3-14, 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over PG Pub 20180048660 (hereinafter Paithane) in view of US Patent 10489592 (hereinafter Naamneh)
 	Regarding claim 1, Paithane discloses a system for isolating and analyzing suspicious information in alternate formats using virtual containers (Fig. 1 and related text discloses the analysis engines performed threat detections for the electronic device 100 in separate VMs), the system comprising: 
 	one or more memory components storing computer-readable code; and one or more processing components operatively coupled to the one or more memory components, wherein the one or more processing components are configured to execute the computer-readable code to: 
 	Paithane discloses the dynamic analysis in each VM only analyzes suspicious object (Fig. 2 and par. [0044]). Hence Paithane teaches receive an indication of the suspicious information; allow an analyst However, Paithane does not disclose the analysis is performed by a user at each VM. Naamneh discloses this feature (Fig. 5 and col. 9, lines 8-19 disclose a user at a test device perform malware analysis in a sandbox environment). Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Paithane with Naamneh to further teach receive an indication of the suspicious information; allow an analyst user to access to a virtual container in order to analyze the suspicious information. One would have done so using known processes having either human or automated to perform malware analysis in the same field of endeavor with reasonable expectation of success; 
 	Paithane  discloses accessing the suspicious information in an analysis format that is different than an original format of the suspicious information, wherein the analysis format is accessed using a non-native application (par. [0040]-[0044] and [0052] discloses “…the formatting logic 230 receives at least the captured object 224 for analysis, and converts that object 224 into a format, if needed or as appropriate, on which scanning may be conducted by the static analysis engine 170. This conversion may involve decompression of the object for example…” and “…the dynamic analysis engine 175 for in-depth dynamic analysis by the VMs 180.sub.1-180.sub.N. For instance, according to one embodiment of the disclosure, a first VM 180.sub.1 may be adapted to conduct a multi-app, multi-plugin analysis, where the suspicious object 228 is a file path and is analyzed in accordance with a selected multi-app, multi-plugin processing framework. The multi-app, multi-plugin processing framework selects a software profile based, at least in part, on (i) the type of object being analyzed (e.g., certain type of data elements such as a PDF document or Microsoft® Office® document, a URL, etc… The determined object category is passed as a parameter to the launcher logic … [such as] string in a Hypertext Transfer Protocol (HTTP) flow for example, the scheduler 235 may obtain information that identifies a specific type of browser application (e.g., Internet Explorer®., Firefox®, Chrome®, etc.)”. This suggests the analysis performed in non-native language); 
 	Naamneh discloses allow the analyst user to analyze the suspicious information in the analysis format within the virtual container (see citation above for sandbox that can be performed in a virtual machine (col.3, lines 49-50); and 
 	Paithane  discloses implement a mitigation action when the suspicious information is determined to include harmful information (par. [0050]). 
 	Regarding claim 3, Paithane discloses wherein the system is accessed through an application programming interface located on the system, an analyst computer system (see Fig. 2 for the Threat detection System), or on an application programing interface system.  	Regarding claim 4, Paithane discloses wherein the analyst user utilizes a browser to view the analysis format of the suspicious information (par. [0053] discloses “…selecting a particular browser application (e.g., Internet Explorer, FireFox®, Chrome®, etc.) as part of the multi-app, multi-plugin processing framework…”).  	Regarding claim 5, Paithane discloses wherein allowing the analyst user to analyze the suspicious information in the analysis format within the virtual container comprises: determining when the suspicious information in the analysis format meets past harmful information previously identified; and identifying the suspicious information as the harmful information (par. [0041] discloses “…a comparison of (i) content of the formatted object 226 and (ii) one or more pre-stored signatures associated with detected malware…”).  	Regarding claim 6, Paithane discloses wherein the system is accessed through an application programming interface located on the system, an analyst computer system, or on an application programing interface system; wherein the analysis format is an html file; wherein the analyst user utilizes a browser to view the analysis format of the suspicious information; and wherein allowing the analyst user to analyze the suspicious information in the analysis format within the virtual container comprises: determining when the suspicious information in the analysis format meets past harmful information previously identified; and identifying the suspicious information as the harmful information (see all rejections for claims 1-5).  	Regarding claim 7, Paithane discloses wherein the indication of the suspicious information is received from a target user (par. [0058] and [0064] discloses the analysis to determine whether a targeted electronic device (e.g. customer) is susceptible to a malicious attack).  	Regarding claim 8, Paithane discloses wherein the indication of the suspicious information is received automatically from an organization system (par. [0058] and [0062] discloses performing the analysis to most common application/plug version for a targeted enterprise).  	Regarding claim 9, Paithane discloses wherein the system is an isolation system that provides physical separation and logical separation when analyzing the suspicious information (Fig. 2).  	Regarding claim 10, Paithane discloses wherein the one or more processing components are further configured to execute the computer-readable code to: create a plurality of virtual containers for a plurality of analysts, wherein each of the plurality of virtual containers are specific to each of the plurality of analysts (Fig. 2, 4A-B, par. [0039-[0042] discloses different stored applications and/or different plug-ins may be provisioned differently within each VM 1801-180N).  	Regarding claim 11, Paithane discloses wherein the one or more processing components are further configured to execute the computer-readable code to: create the virtual container when the analyst user accesses the system (par. [65] discloses for each application/plug-in combination, a VM is instantiated to process the object under analysis).  	Regarding claim 12, Paithane discloses to receive virtual environment configurations from the analyst user for the virtual container for the suspicious information (par. [0039] discloses determining protocols, application types and other information that may be used by logic within the threat detection system for a particular software profile used for virtual machine (VM) configuration. The profile may be used for initial configuration of guest software and may reconfigure the run-time operation to support a selected multi-app, multi-plugin analysis).  	Regarding claim 13, Paithane discloses automatically set virtual environment configurations for the virtual container based on configurations of a target user computer system of a target user from which the suspicious information was received (par. [0045] discloses during processing of the suspicious object, emulates a source of or destination for communications with the suspicious object).  	Regarding claim 14, Paithane discloses wherein the mitigation action comprises sending a notification to a user when the harmful information is identified (par. [0050] discloses sending alert such as text messages, email messages, video or audio stream, or other types of information over a wired or wireless communication path to other entities).
Regarding claims 17 and 20, the claims are rejected in view of claim 1 rejection.

 Claims 2 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Paithane in view of Naamneh and further in view of US Patent 10482239 (hereinafter Liu)
 Regarding claim 2, Paithane discloses examining HTTP flow and URL type (par. [0050]-[0051]) but unclear if  the analysis format is an html format. Liu disclose this feature (Fig. 4, col. 17-18). Therefore, it would have been obvious before the effective filing date of the claimed invention to further teach the aforementioned claimed feature to modify Paithane, Naamneh with Liu. One would have done so as an obvious choice for inspecting malware on webpage since it is known the entire World Wide Web uses HTTP protocol. Hence, using HTML would be the first choice comes to mind. 	Regarding claim 18, Paithane discloses wherein the virtual container is accessed through an application programming interface located on an isolation system, an analyst computer system, or on an application programing interface system; 
wherein the analysis format is an html file; wherein the analyst user utilizes a browser to view the analysis format of the suspicious information; and
 wherein allowing the analyst user to analyze the suspicious information in the analysis format within the virtual container comprises: determining when the suspicious information in the analysis format meets past harmful information previously identified; and identifying the suspicious information as the harmful information.  	see claims 2-5 rejections.
 	Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Paithane in view of Naamneh and further in view of PG Pub 20180336351 (hereinafter Jefferies) and US Patent 10440050 (hereinafter Neel) 	Regarding claim 15, as presented in claim 14, Paithane discloses notify others but unclear if the mitigation action comprises requesting notifying other analyst users of the harmful information, notifying other users within an organization of the harmful information, notifying a third-party of the harmful information, removal of the harmful information from a target user computer system, allowing the analyst user to access a target user computer of a target user to remediate the harmful information, requiring a username or password change, blocking a website for the harmful information, preventing future download of the harmful information, or automatically deleting any future communication with the harmful information. 
  	Jefferies discloses quarantining the resource to prevent the host operating system of a central computing device in an enterprise from potentially malicious activity, notifying at least one different computing device of the malicious activity to prevent the different computing device from the potentially malicious activity (par. [0039] and [0097] discloses each container created for each user. When malicious object is found in a container it is quarantined). Thus, Jefferies teaches the mitigation action comprises requesting notifying other analyst users of the harmful information, notifying other users within an organization of the harmful information, notifying a third-party of the harmful information, removal of the harmful information from a target user computer system, allowing the analyst user to access a target user computer of a target user to remediate the harmful information, requiring a username or password change, blocking a website for the harmful information, preventing future download of the harmful information, or automatically deleting any future communication with the harmful information 	Neel discloses requiring a username or password change (Figs. 2A-B and col. 13 and col. 15, lines 5-12).
	Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Paithane, Naamneh with Jefferies and Neel to further teach the claimed features. One would have done so using known corrective actions when performing malware analysis process with reasonable expectation of success.

	Claims 16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Paithane in view of Naamneh and further in view of US Patent 11240275 (hereinafter Vashisht)
 	Regarding claim 16, Paithane discloses the classification engine determines whether a suspicious object under analysis should be classified as malicious. The classification engine may conduct a probabilistic modeling process that assigns risk levels to different monitored behaviors of the suspicious object (par. [0047]-[0048]). Meaning not all suspicious objects are malicious. However, Paithane does not expressly identify when the suspicious information fails to include the harmful information; and send a notification to a target user that the suspicious information is cleared when the harmful information fails to be identified. Vashisht discloses this feature (Fig. 7 and col. 39, particularly steps 725 to 745 which discloses a response message with a verdict of malicious or benign after analysis of an executable code). Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Paithane, Naamneh with Vashisht to further teach the claimed features. One would have done so using known alerting process when performing malware analysis with reasonable expectation of success. 	Regarding claim 19, the combination of Paithane discloses identifying when the suspicious information fails to include the harmful information; and sending a notification to a target user that the suspicious information is cleared when the harmful information fails to be identified (see claim 16 rejection). 
Inquiry communication
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994. The examiner can normally be reached Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRI M TRAN/Primary Examiner, Art Unit 2432