DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.This is a Final Office Action in response to applicant’s amendment filed on October 5, 2022. At this time, claims 1-2, 9-10, 11, 13 and 17-18 have been amended. No claim has been added or cancelled. Therefore, claims 1-20 are pending and addressed below. 

                                                   Response to Amendments
Applicant’s amendment is sufficient to overcome the 35 U.S.C 101 rejection set forth in the previous office action for independent claim 13. 
As to Claims 1-20, Applicants’ amendment of independent Claims 1, 13 and 18 with newly added feature “wherein the countermeasure includes at least one executable instruction, wherein executing the at least one executable instruction on a computer inoculates the computer from infection by the malware or disinfects the computer by removing the malware from the computer.“ [Claims 1-20] has necessitated a new ground(s) of rejection in this Office action.  Therefore, Applicants’ arguments filed on 10/05/2022 have been fully considered but are moot in view of the new ground(s) of rejection because the arguments do not apply to any of the updated reference(s) being used in the current rejection.  
                                                           Examiner’s Note
With respect to the new prior art, Shimoma JP 2016099857 which is a foreign document, it is noted that the document must be read thoroughly to be able to see the passages extracted by the examiner because the specification is not properly label with paragraph or column or section. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-4, 6-7, 8, 9-11, 13, 14, 16-17, 18 and 20 are rejected under 35 U.S.C 103 as being unpatentable over Summerlin, US pat. No 20210365556 in view of Shimoma, JP 2016099857. 

Claims 1, 13 and 18. Summerlin disclose a method (See abstract; obtaining a malware sample; extracting operational parameters corresponding to the malware sample; configuring an emulator application corresponding to the malware sample using the operational parameters) comprising: 
running a virtual machine with an operating system configured with a monitoring subsystem, (See [0018   ]; The output generated at the virtual machine via execution of the malware sample can be processed to detect portions of that output likely to indicate the presence of the malware. Those portions may be distinguished, for example, from benign activity performed by the malware to obfuscate its presence. IOCs may be generated and deployed to detection applications based on the above-mentioned portions.) the monitoring subsystem configured to generate event data based on a plurality of events occurring on the virtual machine; (See [0023]; the system 116 also includes a repository 208 configured to receive data (e.g. files, memory dumps, status reports from other system components, and the like) and events from each of the other components of the system 116.)
running a classifier configured to detect a malware based on the plurality of events; (See [0017]; Malware detection applications (e.g. antivirus applications and the like) may be installed on client devices 104 or associated devices to detect malware such as the application 108, either to prevent infection by malware or detect and remove malware after infection. To detect malware, such detection applications may be configured to analyze data and activity at the client device 104, such as the contents of files stored at the client device, network traffic between the client device 104 and the network 100, and the like.)
running a sample on the virtual machine, the classifier detecting the malware in the sample; (See [0018]; The process of identifying IOCs that can be deployed to malware detection applications for use in protecting client devices may involve obtaining samples of malware applications such as the application 108 and executing such samples, e.g. in a sandbox environment such as a virtual machine. See also [0018]; the output generated at the virtual machine via execution of the malware sample can be processed to detect portions of that output likely to indicate the presence of the malware.)
Summerlin does not appear to explicitly disclose and running a countermeasure compiler that generates a countermeasure to the malware, the countermeasure based on the event data. 
wherein the countermeasure includes at least one executable instruction, wherein executing the at least one executable instruction on a computer inoculates the computer from infection by the malware or disinfects the computer by removing the malware from the computer. However, Shimoma discloses and running a countermeasure compiler that generates a countermeasure to the malware, the countermeasure based on the event data. (See Shimoma, A malicious program countermeasure system 101 shown in FIG. 1 is a computer system that efficiently generates a removal program that can appropriately deal with a malicious program and avoid adverse effects on business processing when applied to a target system.) 
wherein the countermeasure includes at least one executable instruction, wherein executing the at least 
one executable instruction on a computer inoculates the computer from infection by the malware or 
disinfects the computer by removing the malware from the computer. (See Shimoma; the countermeasure method application function 113 of the malicious program countermeasure system 101 acquires information on the countermeasure method selected in step 1004 described above, generates a removal program for executing the processing of the countermeasure method, and performs the above countermeasure target. This is applied to the simulated environment of the system (step 1005). The generation of the removal program in step 1005 can be, for example, a procedure in which the removal program linked to the corresponding malicious program countermeasure candidate in the countermeasure DB 103 is extracted from the storage device 203 and used as the removal program. See also 
a computer inspection system (see Patent Document 1) that is obtained from a computer, analyzes the above execution result in an analysis system, outputs the analysis result, and automatically generates a countermeasure method (disinfecting program) for malicious programs from this analysis result Has been proposed.) 
Summerlin and Shimoma are analogous art because they are from the same field of endeavor which 
is malware detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin with the teaching of Shimoma to include the countermeasure because it would have allowed  a malicious program countermeasure system and a malicious program countermeasure method, and more specifically, a removal program capable of appropriately dealing with a malicious program and avoiding adverse effects on business processing when applied to a target system. (See Technical field section)

Claim 3. The combination of Summerlin and Shimoma discloses the method of claim 1 wherein detecting the malware triggers generating the countermeasure. (See Shimoma; automation and acceleration of provision, and dynamic analysis technology include, for example, detecting a malicious program on a computer to be inspected at high speed and low load, In order to make it possible to analyze a malicious program with high accuracy, the inspection server device sends a search program for searching for a malicious program to the target computer for execution, and targets the execution code of malware as the execution result. A computer inspection system (see Patent Document 1) that is obtained from a computer, analyzes the above execution result in an analysis system, outputs the analysis result, and automatically generates a countermeasure method (disinfecting program) for malicious programs from this analysis result )
Summerlin and Shimoma are analogous art because they are from the same field of endeavor which 
is malware detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin with the teaching of Shimoma to include the countermeasure because it would have allowed  a malicious program countermeasure system and a malicious program countermeasure method, and more specifically, a removal program capable of appropriately dealing with a malicious program and avoiding adverse effects on business processing when applied to a target system. (See Technical field section)

4. The combination of Summerlin and Shimoma discloses the method of claim 1 wherein the countermeasure compiler is configured to generate a resource data section and wherein the countermeasure includes a precompiled template populated with the resource data section. (See Summerlin, [0056]) 

6. The combination of Summerlin and Grytsan discloses the method of claim 1, the classifier configured to detect the malware based on the sample terminating a process monitored by the monitoring subsystem and that is not associated with the sample. (See [0055-0056])

7. The combination of Summerlin and Shimoma discloses the method of claim 1, the monitoring subsystem configured to monitor a process, and the classifier configured to: detect the malware based on a type of access to the process requested by the sample, and detect the malware based on an identity of the process accessed by the sample. (See ([0036] and [0055-0057])8. The combination of Summerlin and Shimoma discloses the method of claim 1, the monitoring subsystem configured to monitor an operating system registry, and the classifier configured to: detect the malware based on the sample modifying or deleting a registry entry that the sample did not create. (See [0057])

9. The combination of Summerlin and Shimoma discloses the method of claim 1, wherein running the at least one instruction on the computer detects that the computer is infected with the malware. (See Shimoma, a computer inspection system (see Patent Document 1) that is obtained from a computer, analyzes the above execution result in an analysis system, outputs the analysis result, and automatically generates a countermeasure method (disinfecting program) for malicious programs from this analysis result Has been proposed.)
Summerlin and Shimoma are analogous art because they are from the same field of endeavor which 
is malware detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin with the teaching of Shimoma to include the countermeasure because it would have allowed  a malicious program countermeasure system and a malicious program countermeasure method, and more specifically, a removal program capable of appropriately dealing with a malicious program and avoiding adverse effects on business processing when applied to a target system. (See Technical field section)

10. The combination of Summerlin and Shimoma discloses the method of claim 1, wherein running the at least one instruction on the computer removes the malware from the computer.  (See Shimoma; FIG. 1 is a computer system that efficiently generates a removal program that can appropriately deal with a malicious program and avoid adverse effects on business processing when applied to a target system.) 
Summerlin and Shimoma are analogous art because they are from the same field of endeavor which 
is malware detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin with the teaching of Shimoma to include the countermeasure because it would have allowed  a malicious program countermeasure system and a malicious program countermeasure method, and more specifically, a removal program capable of appropriately dealing with a malicious program and avoiding adverse effects on business processing when applied to a target system. (See Technical field section)

11. The combination of Summerlin and Shimoma discloses the method of claim 1, wherein running the at least one instruction on the computer prevent the computer from running a malware process.  (See Shimoma; FIG. 1 is a computer system that efficiently generates a removal program that can appropriately deal with a malicious program and avoid adverse effects on business processing when applied to a target system.) 
Summerlin and Shimoma are analogous art because they are from the same field of endeavor which 
is malware detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin with the teaching of Shimoma to include the countermeasure because it would have allowed  a malicious program countermeasure system and a malicious program countermeasure method, and more specifically, a removal program capable of appropriately dealing with a malicious program and avoiding adverse effects on business processing when applied to a target system. (See Technical field section)

14. The combination of Summerlin and Shimoma discloses the system of claim 13 wherein the classifier is configured to use an event data object in transient memory and based on the plurality of events to detect the malware based on at least two of the plurality of events. (See Summerlin, [0017]; Malware detection applications (e.g. antivirus applications and the like) may be installed on client devices 104 or associated devices to detect malware such as the application 108, either to prevent infection by malware or detect and remove malware after infection. To detect malware, such detection applications may be configured to analyze data and activity at the client device 104, such as the contents of files stored at the client device, network traffic between the client device 104 and the network 100, and the like.) 

16. The combination of Summerlin and Shimoma discloses the system of claim 13 wherein generating the countermeasure is triggered by detecting the malware. (See Shimoma; automation and acceleration of provision, and dynamic analysis technology include, for example, detecting a malicious program on a computer to be inspected at high speed and low load, In order to make it possible to analyze a malicious program with high accuracy, the inspection server device sends a search program for searching for a malicious program to the target computer for execution, and targets the execution code of malware as the execution result. A computer inspection system (see Patent Document 1) that is obtained from a computer, analyzes the above execution result in an analysis system, outputs the analysis result, and automatically generates a countermeasure method (disinfecting program) for malicious programs from this analysis result )
Summerlin and Shimoma are analogous art because they are from the same field of endeavor which 
is malware detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin with the teaching of Shimoma to include the countermeasure because it would have allowed  a malicious program countermeasure system and a malicious program countermeasure method, and more specifically, a removal program capable of appropriately dealing with a malicious program and avoiding adverse effects on business processing when applied to a target system. (See Technical field section)
 
17. The combination of Summerlin and Shimoma discloses the system of claim 13 wherein running the at least one executable instruction on the computer the countermeasure is configured to:   detect the malware on the computer, remove the malware from the computer, and prevent the computer from running a malware process. (See Shimoma, generating a removal program based on information in the system configuration information DB 102 in which specifications of a countermeasure target system operated by a company or the like are defined.)
Summerlin and Shimoma are analogous art because they are from the same field of endeavor which 
is malware detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin with the teaching of Shimoma to include the countermeasure because it would have allowed  a malicious program countermeasure system and a malicious program countermeasure method, and more specifically, a removal program capable of appropriately dealing with a malicious program and avoiding adverse effects on business processing when applied to a target system. (See Technical field section)


20. The combination of Summerlin and Shimoma discloses the non-transitory computer readable medium storing computer readable instructions of claim 18, wherein the countermeasure is stored on a second non-transitory computer readable medium storing additional computer readable instructions, that when executed by a computer, implement a countermeasure method comprising: detecting the malware on the computer, and removing the malware from the computer. (See Shimoma, FIG. 7 is a program for removing a malicious program countermeasure system by preferentially selecting a countermeasure program countermeasure candidate of which countermeasure level when the malicious program countermeasure system 101 generates a removal program based on the countermeasure DB 103. (For example, generating a removal program with a low countermeasure level in order from a removal program with a strong countermeasure level).)
Summerlin and Shimoma are analogous art because they are from the same field of endeavor which 
is malware detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin with the teaching of Shimoma to include the countermeasure because it would have allowed  a malicious program countermeasure system and a malicious program countermeasure method, and more specifically, a removal program capable of appropriately dealing with a malicious program and avoiding adverse effects on business processing when applied to a target system. (See Technical field section)

Claims 2 and 15 are rejected under 35 U.S.C 103 as being unpatentable over Summerlin, US pat. No 20210365556 in view of Shimoma, JP 2016099857 in further view of Grytsan, US20140237596.

The combination of Summerlin and Shimoma does not appear to explicitly disclose the method of claim 1 wherein the monitoring subsystem and the classifier are run within a kernel of the operating system. However, Grytsan discloses wherein the monitoring subsystem and the classifier are run within a kernel of the operating system. (See Grytsan; [0043] and [0053])
Summerlin, Shimoma and Grytsan are analogous art because they are from the same field of endeavor which is malware detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin and Shimoma with the teaching of Grytsan to include the operating system kernel because it would have allowed a system and method for protecting a computer against the harmful effects of malicious software and more particularly to a system and method for detecting the presence of malicious software on a computer and to diffusing malicious software before it can operate to cause undesirable effects on the computer. (See Grytsan, [0005])  

15. as to claim 15, the claim is rejected under the same rationale as claim 2. See the rejection of claim 2 above.  

Claim 5 is rejected under 35 U.S.C 103 as being unpatentable over Summerlin, US pat. No 20210365556 in view of  Shimoma, JP 2016099857 in further view of Cohen, US pat. No 20070283434.
 5. The combination of Summerlin and  Shimoma does not discloses the method of claim 1, the classifier configured to: detect the malware based on the sample modifying a tripwire file monitored by the monitoring subsystem, and detect the malware based on the sample modifying a system file monitored by the monitoring subsystem. 
However, Cohen discloses detect the malware based on the sample modifying a tripwire file monitored by the monitoring subsystem, and detect the malware based on the sample modifying a system file monitored by the monitoring subsystem. (See Cohen, [0101])
Summerlin, Shimoma and Cohen are analogous art because they are from the same field of endeavor which access control. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Summerlin and Shimoma with the teaching of Cohen to include the tripwire file because it would have allowed protection to a set of files. 

Allowable Subject Matter
Claims 12 and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 
                                                               Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
ISHIBASHI, US20180181455, title “Management system and management method for computer system”
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSNEL JEUDY whose telephone number is (571)270-7476. The examiner can normally be reached M-F 10:00-8:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arani T Taghi can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
Date: 12/8/2022
/JOSNEL JEUDY/Primary Examiner, Art Unit 2438