SYSTEMS, METHODS, AND DEVICES FOR RISK AWARE AND ADAPTIVE ENDPOINT SECURITY CONTROLS

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to communication filed on 02/04/2026. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/04/2026 has been entered. Status of claims in the instant application: Claims 1-20 are pending. No claim has been canceled. No new claim has been added Claims 1, 9 and 17 have been amended. Information Disclosure Statement Information Disclosure Statements (IDS) filed on 02/04/2026 has been considered, and a signed copies of the IDS forms have been attached to this office action. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 3-4, 6-9, 11-12, 14-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pat. No.: US 8806638 B1 to Mani (hereinafter “Mani”) in view of Pub. No.: US 20180365412 A1 to Israel et al. (hereinafter “Israel”). Regarding Claim 1. Mani discloses A computer-implemented method for automatically applying a security policy in response to a security threat (Mani, Abstract, FIG.3, col.6,ln.17-60: … A computer-implemented method for protecting networks from infected computing devices may include providing a computing system with a first level of access to a network. The method may also include determining that the computing system is infected with malware. The method may further include determining that the computing system cannot autonomously neutralize the malware. The method may additionally include modifying by an endpoint management system a network access control policy that controls network access of the first computing system … GUI 400 may include several tabs or buttons for accessing different console pages within the endpoint management system. These console pages may include a home page, monitors, reports, policies, clients, and administrators, with respective buttons 402, 404, 406, 408, 410, and 412, as shown in FIG. 4 … The policies page may enable the user to manage network access control policy enforcement, host integrity checking, and automated remediation for all clients … ) comprising: detecting, by an agent running on a first computing system, information indicative of a security threat, wherein the first computing system is operating with a first security policy (Mani, col.9,ln.42-53: … Returning to FIG. 3, at step 304 one or more of the systems described herein may determine that the computing system is infected with malware. For example, at step 304, determining module 106 may determine that computing system 202 is infected with malware. Computing system 202 and/or an endpoint management server may set a flag upon detecting that the computing system is infected with malware. Such a flag may be read by an endpoint management system when determining whether to modify network access rights of computing system 202, as discussed in greater detail in connection with step 308 …), [wherein the first security policy includes rules related to two or more of: network connectivity. USB device usage. SD card usage. Bluetooth usage. Thunderbolt usage, writing to external storage, reading from external storage, allowed applications, or blocked applications]; However, Mani does not explicitly teach, but Israel from same or similar field of endeavor teaches: “wherein the first security policy includes rules related to two or more of: network connectivity. USB device usage. SD card usage. Bluetooth usage. Thunderbolt usage, writing to external storage, reading from external storage, allowed applications, or blocked applications (Israel, Abstract: … Methods, systems, and apparatuses are provided for managing an execution of applications in a computing environment. A whitelist list of applications that are permitted to execute in a computing environment is obtained. For one or more of the applications on the whitelist, a temporal rule is assigned that specifies a time period in which the application is permitted to execute in the computing environment. For instance, the temporal rule may be obtained via a user input or may be determined automatically by analyzing an execution history of the application. Applications are permitted to execute in the computing environment during the time period specified by the temporal rule, and are prevented from executing outside of the time period. By restricting the time period in which an application can execute, the overall vulnerability to malware attacks in a computing environment may be reduced …)” Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Israel into the teachings of Mani, because it discloses that, “Embodiments described herein overcome these issues by, instead of permitting applications on a whitelist to execute freely on a device, assigning and enforcing a rule for each whitelisted application that specifies one or more time periods during which the application may execute. The time period(s) during which the application is permitted to execute may be assigned, for example and without limitation, through a user interface or automatically based on a prior execution history of the whitelisted application. By assigning time period(s) during which an application is permitted to execute, a system can block any attempts to execute the application outside of the time period(s), thereby reducing the risk that an unauthorized execution takes place (Israel, Para [0027])”. Mani further discloses: “sending, from the first computing system to a second computing system via a network connection, an indication of the security threat (Mani, col.10,ln.32-61: … At step 706, an administrative user and/or determining module 106 (or another module in system 100) may identify a recipient (e.g., an end-point management system) of a report indicating that the computing system is infected with malware. The user may designate the recipient using a graphical user interface, such as GUI 400 (i.e. by typing an email address). Determining module 106 may identify the recipient according to default settings or report settings designated in an endpoint management system. At step 708, determining module 106 may transmit the report to the receiver identified at step 706 …); receiving, by the first computing system from the second computing system via the network connection, an indication of a second security policy to apply (Mani, col.2,ln.45-67, col.3,ln.17-60: … a method for protecting networks from infected computing devices may include: 1) providing a computing system with a first level of access to a network, the computing system being managed by an endpoint management system that controls the computing system's access to the network; 2) determining that the computing system is infected with malware; 3) determining that the computing system cannot autonomously neutralize the malware; and 4) in response to the determining that the computing system cannot autonomously neutralize the malware, modifying by the endpoint management system a network access control policy to alter the computing system's first level of access to the network to a second level of access to the network, the second level providing more limited access to the network than the first level … Altering the computing system's first level of access to the network to a second level of access to the network may include transmitting a firewall policy to the computing system. The firewall policy may restrict the level of access between the computing system and the network …); and [automatically] applying, by the agent, the second security policy to the first computing system (Mani, col.12,ln.23-67: … Returning to FIG. 3, at step 308 one or more of the systems described herein may modify a network access control policy to alter the computing system's first level of access to the network to a second level of access to the network. The second level of access may be more limiting than the first level. For example, at step 308, access control module 104 may modify a network access control policy associated with computing system 202 to alter computing system 202's first level of access to the network to a second level of access to the network … Access control module 104 may perform step 308 in a variety of manners. For example, access control module 104 may apply a second firewall policy the computing system 202. The second firewall policy may be more limiting than the first firewall policy discussed above regarding FIG. 6. The second firewall policy may effectively quarantine computing system 202 from any computing system that may be vulnerable to infection from the infected computing system while maintaining a connection, or limited connection, to the endpoint management server …).” Israel further discloses: “automatically applying the second security policy to the first computing system (Israel, Para [0027, 0039], FIG. 2: … Embodiments described herein overcome these issues by, instead of permitting applications on a whitelist to execute freely on a device, assigning and enforcing a rule for each whitelisted application that specifies one or more time periods during which the application may execute. The time period(s) during which the application is permitted to execute may be assigned, for example and without limitation, through a user interface or automatically based on a prior execution history of the whitelisted application. By assigning time period(s) during which an application is permitted to execute, a system can block any attempts to execute the application outside of the time period(s), thereby reducing the risk that an unauthorized execution takes place …)”. The motivation to further combine Israel remains same as before. Regarding Claim 3. The combination of Mani-Israel discloses the computer-implemented method of Claim 1, Mani further discloses, “wherein the indication of the second security policy to apply comprises the second security policy (Mani, col.13,ln.53-61: … Server 602 may transmit the second firewall policy to computing system 608. Additionally, or alternatively, server 602 may transmit an instruction to computing system 608 to apply a firewall policy already present, but inactive, at computing system 608. Alternatively, access control module 104 may be present at computing system 608 and may autonomously decide to apply a local firewall policy, or request the second firewall policy from a remote location, without intervention from server 602 …)”. Regarding Claim 4. The combination of Mani-Israel discloses the computer-implemented method of Claim 1, Mani further discloses, “wherein the indication of the second security policy to apply comprises an identifier of the second security policy, wherein the second security policy is stored on the first computing system (Mani, col.13,ln.53-61; col.14,ln.35-56: … The second firewall policy may be selected by access control module 104 from a database of firewall policies, such as firewalls database 122. Access control module 104 may select the second firewall policy based on factors including the estimated degree of infection of any and/or each computing system affected by the firewall policy (i.e. the computing system where the policy is applied and all systems connected to it), the estimated degree of vulnerability to infection of any and/or each computing system affected by the firewall policy, the nature of the malware as best identified, and/or the estimated degree of effectiveness of any and/or each trigger or setting within the firewall policy in neutralizing or quarantining the identified malware … Server 602 may transmit the second firewall policy to computing system 608. Additionally, or alternatively, server 602 may transmit an instruction to computing system 608 to apply a firewall policy already present, but inactive, at computing system 608. Alternatively, access control module 104 may be present at computing system 608 and may autonomously decide to apply a local firewall policy, or request the second firewall policy from a remote location, without intervention from server 602 …)”. Regarding Claim 6. The combination of Mani-Israel discloses the computer-implemented method of Claim 1, Mani further discloses, “wherein the second security policy comprises a group policy object (Mani, col.7,ln.57-62: … A group (i.e. of computers and/or users) managed by the endpoint management system may inherit firewall settings from a parent group from which the group depends. ln that case, a user and/or access control module 104 may designate whether the parent or subgroup rules take precedence (i.e. in order of execution or in event of conflict). …)”. Regarding Claim 7. The combination of Mani-Israel discloses the computer-implemented method of Claim 1, Mani further discloses, “wherein the information indicative of the security threat comprises monitoring data (Mani, col.9,ln.54-col.10,ln12: … Determining module 106 may determine that computing system 202 is infected with malware in a variety of ways that may generally be divided into two categories: 1) detecting diminished system performance without detecting explicit evidence of malware and 2) detecting explicit evidence of malware. Diminished system performance may include, for example, slower processing or disk access, or greater processor or disk utilization, as well as a greater number of shutdowns, errors, and/or blue screens. Explicit evidence of malware may include evidence of files and/or settings created or generated by malware, evidence of files and/or settings placed into a state by malware that implicates the malware, and/or evidence of malware files themselves (e.g., a hash or fingerprint of a file on computing system 202 may match a hash or fingerprint of a known malware file), …)”, and wherein the second computing system is configured to analyze the monitoring data and determine that a security threat is present on the first computing system (Mani, col. col. 14, In 35-56: The second firewall policy may be selected by access control module 104 from a database of firewall policies, such as firewalls database 122. Access control module 104 may select the second firewall policy based on factors including the estimated degree of infection of any and/or each computing system affected by the firewall policy (i.e. the computing system where the policy is applied and all systems connected to it), the estimated degree of vulnerability to infection of any and/or each computing system affected by the firewall policy, the nature of the malware as best identified, and/or the estimated degree of effectiveness of any and/or each trigger or setting within the firewall policy in neutralizing or quarantining the identified malware. The triggers, rules, types of blocked packets, and/or degree of connectivity between the infected computing system and any other computing system may be tailored for, and specified by, the second firewall policy, based on these factors. The second firewall policy may also be built or created by access control module 104, instead of being selected from a database, by designating triggers and/or settings, such as those discussed above regarding FIG. 5, based on any or each of the factors identified in the preceding paragraph …)”. Regarding Claim 8. The combination of Mani-Israel discloses the computer-implemented method of Claim 1, Mani further discloses, “wherein the information indicative of the security threat comprises an indication that the agent has detected a security threat on the first computing system (Mani; col.10,In 32-42: … At step 706, an administrative user and/or determining module 106 (or another module in system 100) may identify a recipient (e.g., an end-point management system) of a report indicating that the computing system is infected with malware. The user may designate the recipient using a graphical user interface, such as GUI 400 (i.e. by typing an email address). Determining module 106 may identify the recipient according to default settings or report settings designated in an endpoint management system. At step 708, determining module 106 may transmit the report to the receiver identified at step 706 …), wherein the agent is configured to analyze monitoring data and determine that a security threat is present on the first computing system (Mani, col. 9, In 54-col.10,In 12: …Determining module 106 may determine that computing system 202 is infected with malware in a variety of ways that may generally be divided into two categories: 1) detecting diminished system performance without detecting explicit evidence of malware and 2) detecting explicit evidence of malware. Diminished system performance may include, for example, slower processing or disk access, or greater processor or disk utilization, as well as a greater number of shutdowns, errors, and/or blue screens. Explicit evidence of malware may include evidence of files and/or settings created or generated by malware, evidence of files and/or settings placed into a state by malware that implicates the malware, and/or evidence of malware files themselves (e.g., a hash or fingerprint of a file on computing system 202 may match a hash or fingerprint of a known malware file). The evidence may implicate a particular species or strain of malware, a general family of malware, a class or type of malware, and/or may simply implicate malware in general …)”. Regarding Claim 9. Mani discloses A computer-implemented method for automatically applying a security policy in response to a security threat (Mani, Abstract, FIG.3, col.6,ln.17-60: … A computer-implemented method for protecting networks from infected computing devices may include providing a computing system with a first level of access to a network. The method may also include determining that the computing system is infected with malware. The method may further include determining that the computing system cannot autonomously neutralize the malware. The method may additionally include modifying by an endpoint management system a network access control policy that controls network access of the first computing system … GUI 400 may include several tabs or buttons for accessing different console pages within the endpoint management system. These console pages may include a home page, monitors, reports, policies, clients, and administrators, with respective buttons 402, 404, 406, 408, 410, and 412, as shown in FIG. 4 … The policies page may enable the user to manage network access control policy enforcement, host integrity checking, and automated remediation for all clients … ) comprising: receiving, by a first computing system from a second computing system via a network connection, information indicative of a security threat present on the second computing system (Mani, col. 10, In 32-42: At step 706, an administrative user and/or determining module 106 (or anoth …er module in system 100) may identify a recipient (e.g., an end-point management system) of a report indicating that the computing system is infected with malware. The user may designate the recipient using a graphical user interface, such as GUI 400 {i.e. by typing an email address). Determining module 106 may identify the recipient according to default settings or report settings designated in an endpoint management system. At step 708, determining module 106 may transmit the report to the receiver identified at step 706 …), wherein the second computing system is operating with a first security policy (Mani, col. 5, In 65-col.6, ln 13: … Access control module 104 may provide computing system 202 with a first level of access to network 204 in a variety of ways. For example, access control module 104 may provide a network access control policy that indicates one or more network access permissions of computing system 202. The network access control policy may be a security policy of a firewall and/or a policy of any other network access control mechanism. The first level of access to the network may be the level of access provided by a conventional firewall in a corporate or enterprise setting when no malware infection is detected at the computing system. The first level of access may be, therefore, greater than a second level of access discussed more below. Providing a first level of access to the network may more generally include the allowing network communications between computing system 202 and one or more other nodes connected to network 204 …), [wherein the first security policy includes rules related to two or more of: network connectivity. USB device usage. SD card usage. Bluetooth usage. Thunderbolt usage, writing to external storage, reading from external storage, allowed applications, or blocked applications]; However, Mani does not explicitly teach, but Israel from same or similar field of endeavor teaches: “wherein the first security policy includes rules related to two or more of: network connectivity. USB device usage. SD card usage. Bluetooth usage. Thunderbolt usage, writing to external storage, reading from external storage, allowed applications, or blocked applications (Israel, Abstract: … Methods, systems, and apparatuses are provided for managing an execution of applications in a computing environment. A whitelist list of applications that are permitted to execute in a computing environment is obtained. For one or more of the applications on the whitelist, a temporal rule is assigned that specifies a time period in which the application is permitted to execute in the computing environment. For instance, the temporal rule may be obtained via a user input or may be determined automatically by analyzing an execution history of the application. Applications are permitted to execute in the computing environment during the time period specified by the temporal rule, and are prevented from executing outside of the time period. By restricting the time period in which an application can execute, the overall vulnerability to malware attacks in a computing environment may be reduced …)” Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Israel into the teachings of Mani, because it discloses that, “Embodiments described herein overcome these issues by, instead of permitting applications on a whitelist to execute freely on a device, assigning and enforcing a rule for each whitelisted application that specifies one or more time periods during which the application may execute. The time period(s) during which the application is permitted to execute may be assigned, for example and without limitation, through a user interface or automatically based on a prior execution history of the whitelisted application. By assigning time period(s) during which an application is permitted to execute, a system can block any attempts to execute the application outside of the time period(s), thereby reducing the risk that an unauthorized execution takes place (Israel, Para [0027])”. determining, by the first computing system using the information indicative of the security threat present on the second computing system, a second security policy to apply on the second computing system (Mani, col. 13, In 53-61; col. 14, In 35-56: … Server 602 may transmit the second firewall policy to computing system 608. Additionally, or alternatively, server 602 may transmit an instruction to computing system 608 to apply a firewall policy already present, but inactive, at computing system 608. Alternatively, access control module 104 may be present at computing system 608 and may autonomously decide to apply a local firewall policy, or request the second firewall policy from a remote location, without intervention from server 602 …The second firewall policy may be selected by access control module 104 from a database of firewall policies, such as firewalls database 122. Access control module 104 may select the second firewall policy based on factors including the estimated degree of infection of any and/or each computing system affected by the firewall policy (i.e. the computing system where the policy is applied and all systems connected to it), the estimated degree of vulnerability to infection of any and/or each computing system affected by the firewall policy, the nature of the malware as best identified, and/or the estimated degree of effectiveness of any and/or each trigger or setting within the firewall policy in neutralizing or quarantining the identified malware. The triggers, rules, types of blocked packets, and/or degree of connectivity between the infected computing system and any other computing system may be tailored for, and specified by, the second firewall policy, based on these factors. The second firewall policy may also be built or created by access control module 104, instead of being selected from a database, by designating triggers and/or settings, such as those discussed above regarding FIG. 5, based on any or each of the factors identified in the preceding paragraph …); and sending, from the first computing system to the second computing system via the network connection, an indication of the second security policy to apply (Mani, col. 13, In 53-61; col. 14, In 57-col. 15, In 4: … Server 602 may transmit the second firewall policy to computing system 608. Additionally, or alternatively, server 602 may transmit an instruction to computing system 608 to apply a firewall policy already present, but inactive, at computing system 608. Alternatively, access control module 104 may be present at computing system 608 and may autonomously decide to apply a local firewall policy, or request the second firewall policy from a remote location, without intervention from server 602 …In the above discussion, an endpoint management system server, such as server 1102, may generally determine that the computing system cannot autonomously neutralize the malware. The server may then transmit the second firewall policy to provide a limited quarantine of the infected computing system, thereby protecting the network from further infection. Alternatively, and as discussed above, all of the modules of system 100 and the functionality of applying the second firewall policy based on the above-described determinations may be performed by the infected computing system itself without cooperation from an endpoint management server. Thus, an infected computing system may autonomously determine that it cannot neutralize malware and thereby apply a more limiting firewall policy, or request, receive, and then apply a more limiting firewall policy …), [wherein the second computing system is configured to automatically apply the second security policy].” Israel further discloses: “wherein the second computing system is configured to automatically apply the second security policy (Israel, Para [0027, 0039, 0080], FIG. 2: … Embodiments described herein overcome these issues by, instead of permitting applications on a whitelist to execute freely on a device, assigning and enforcing a rule for each whitelisted application that specifies one or more time periods during which the application may execute. The time period(s) during which the application is permitted to execute may be assigned, for example and without limitation, through a user interface or automatically based on a prior execution history of the whitelisted application. By assigning time period(s) during which an application is permitted to execute, a system can block any attempts to execute the application outside of the time period(s), thereby reducing the risk that an unauthorized execution takes place … In an alternative embodiment involving a managing computing device, an administrator of managing computing device 420 may disable a temporal rule implemented on one or more computing device(s) 540. For example, an administrator may interact with temporal application whitelisting UI 430 to remotely disable a temporal rule. In such an embodiment, temporal rule disabler 466 disables the rule and a new or updated set of temporal rules 436 may be transmitted to computing device(s) 540 …)”. The motivation to further combine Israel remains same as before. Regarding Claim 11. The combination of Mani-Israel discloses the computer-implemented method of Claim 9, Mani further discloses, “wherein the indication of the second security policy to apply comprises the second security policy (Mani, col. 13, In 53-61; col. 14, In 57-col. 15, In 4: … Server 602 may transmit the second firewall policy to computing system 608. Additionally, or alternatively, server 602 may transmit an instruction to computing system 608 to apply a firewall policy already present, but inactive, at computing system 608. Alternatively, access control module 104 may be present at computing system 608 and may autonomously decide to apply a local firewall policy, or request the second firewall policy from a remote location, without intervention from server 602 … In the above discussion, an endpoint management system server, such as server 1102, may generally determine that the computing system cannot autonomously neutralize the malware. The server may then transmit the second firewall policy to provide a limited quarantine of the infected computing system, thereby protecting the network from further infection …)”. Regarding Claim 12. The combination of Mani-Israel discloses the computer-implemented method of Claim 9, Mani further discloses, “wherein the indication of the second security policy to apply comprises an identifier of the second security policy, wherein the second security policy is stored on the second computing system (Mani, col. 13, In 53-61; col. 14,In 35-56: … Server 602 may transmit the second firewall policy to computing system 608. Additionally, or alternatively, server 602 may transmit an instruction to computing system 608 to apply a firewall policy already present, but inactive, at computing system 608. Alternatively, access control module 104 may be present at computing system 608 and may autonomously decide to apply a local firewall policy, or request the second firewall policy from a remote location, without intervention from server 602 … The second firewall policy may be selected by access control module 104 from a database of firewall policies, such as firewalls database 122. Access control module 104 may select the second firewall policy based on factors including the estimated degree of infection of any and/or each computing system affected by the firewall policy (i.e. the computing system where the policy is applied and all systems connected to it), the estimated degree of vulnerability to infection of any and/or each computing system affected by the firewall policy, the nature of the malware as best identified, and/or the estimated degree of effectiveness of any and/or each trigger or setting within the firewall policy in neutralizing or quarantining the identified malware …)”. Regarding Claim 14. The combination of Mani-Israel discloses the computer-implemented method of Claim 9, Mani further discloses, “wherein the second security policy comprises a group policy object (Mani, col. 7, In 57-62: … group (i.e. of computers and/or users) managed by the endpoint management system may inherit firewall settings from a parent group from which the group depends. In that case, a user and/or access control module 104 may designate whether the parent or subgroup rules take precedence (i.e. in order of execution or in event of conflict) …)”. Regarding Claim 15. The combination of Mani-Israel the computer-implemented method of Claim 9, Mani further discloses, “wherein the information indicative of the security threat comprises monitoring data , and wherein the first computing system is configured to analyze the monitoring data and determine that a security threat is present on the second computing system (Mani, col. 9, In 54-col. 10, In 12; col. 14, In 35-56: … Determining module 106 may determine that computing system 202 is infected with malware in a variety of ways that may generally be divided into two categories: 1) detecting diminished system performance without detecting explicit evidence of malware and 2) detecting explicit evidence of malware. Diminished system performance may include, for example, slower processing or disk access, or greater processor or disk utilization, as well as a greater number of shutdowns, errors, and/or blue screens. Explicit evidence of malware may include evidence of files and/or settings created or generated by malware, evidence of files and/or settings placed into a state by malware that implicates the malware, and/or evidence of malware files themselves (e.g., a hash or fingerprint of a file on computing system 202 may match a hash or fingerprint of a known malware file) ... The second firewall policy may be selected by access control module 104 from a database of firewall policies, such as firewalls database 122. Access control module 104 may select the second firewall policy based on factors including the estimated degree of infection of any and/or each computing system affected by the firewall policy (i.e. the computing system where the policy is applied and all systems connected to it), the estimated degree of vulnerability to infection of any and/or each computing system affected by the firewall policy, the nature of the malware as best identified, and/or the estimated degree of effectiveness of any and/or each trigger or setting within the firewall policy in neutralizing or quarantining the identified malware. The triggers, rules, types of blocked packets, and/or degree of connectivity between the infected computing system and any other computing system may be tailored for, and specified by, the second firewall policy, based on these factors. The second firewall policy may also be built or created by access control module 104, instead of being selected from a database, by designating triggers and/or settjngs, such as those discussed above regarding FIG. 5, based on any or each of the factors identified in the preceding paragraph …)”. Regarding Claim 16. The combination of Mani-Israel discloses the computer-implemented method of Claim 9, Mani further discloses, “wherein the information indicative of the security threat comprises an indication that an agent running on the second computing system has detected a security threat on the second computing system (Mani, col. 9, In 43-53; col. 13, In 10-17; col. 10, In 32-42: … Returning to FIG. 3, at step 304 one or more of the systems described herein may determine that the computing system is infected with malware. For example, at step 304, determining module 106 may determine that computing system 202 is infected with malware. Computing system 202 and/or an endpoint management server may set a flag upon detecting that the computing system is infected with malware. Such a flag may be read by an endpoint management system when determining whether to modify network access rights of computing system 202, as discussed in greater detail in connection with step 308 … In view of the above, access control module 104 at server 602 and/or computing system 608 (or another remote system connected to system 608) has applied a second firewall policy at computing system 608. The second firewall policy may replace a first firewall policy, as discussed above regarding FIG. 6, may be the first firewall policy to be applied to computing system 608 (i.e. the system was previously exposed), and or may be a modified version of a first firewall policy.") has detected a security threat on the second computing system (report of threat; … At step 706, an administrative user and/or determining module 106 (or another module in system 100) may identify a recipient (e.g., an end-point management system) of a report indicating that the computing system is infected with malware. The user may designate the recipient using a graphical user interface, such as GUI 400 (i.e. by typing an email address). Determining module 106 may identify the recipient according to default settings or report settings designated in an endpoint management system. At step 708, determining module 106 may transmit the report to the receiver identified at step 706 …), wherein the agent is configured to analyze monitoring data and determine that a security threat is present on the second computing system (Mani, col. 9, In 54-col.10, In 12: … Determining module 106 may determine that computing system 202 is infected with malware in a variety of ways that may generally be divided into two categories: 1) detecting diminished system performance without detecting explicit evidence of malware and 2) detecting explicit evidence of malware. Diminished system performance may include, for example, slower processing or disk access, or greater processor or disk utilization, as well as a greater number of shutdowns, errors, and/or blue screens. Explicit evidence of malware may include evidence of files and/or settings created or generated by malware, evidence of files and/or settings placed into a state by malware that implicates the malware, and/or evidence of malware files themselves (e.g., a hash or fingerprint of a file on computing system 202 may match a hash or fingerprint of a known malware file). The evidence may implicate a particular species or strain of malware, a general family of malware, a class or type of malware, and/or may simply implicate malware in general …)”. Regarding Claim 17. This claim contains all the same or similar limitations as claim 1, and hence similarly rejected as claim 1. *** Note: Mani also discloses computer-readable medium storing instructions that are executed by a computer to perform the claimed functions (Mani: FIG. 11) Regarding Claim 19. This claim contains all the same or similar limitations as claim 7, and hence similarly rejected as claim 7. Regarding Claim 20. This claim contains all the same or similar limitations as claim 8, and hence similarly rejected as claim 8. Claims 2, 10 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Pat. No.: US 8806638 B1 to Mani (hereinafter “Mani”) in view of Pub. No.: US 20180365412 A1 to Israel et al. (hereinafter “Israel”), as applied to claim 1 above, and further in view of Pub. No.: US 20230308460 A1 to Thomas et al. (hereinafter “Thomas”). Regarding Claim 2. (Previously Presented) The combination of Mani-Israel discloses the computer-implemented method of claim 1, however it does not explicitly teach but Thomas from same or similar field of endeavor teaches: “further comprising: determining, by the agent running on the first computing system, that the security threat has been eliminated (Thomas, Abstract, Para [0344-0346]: … In another aspect, the platform may be used to mitigate phishing attacks or other malicious activity deployed through electronic mail or similar communications media. For example, a local security agent on a managed device may identify an electronic mail with a suspicious or potentially risky hyperlink or communication. The local security agent may remove or disable this content …); sending, from the first computing system to the second computing system via the network connection, an indication that the security threat has been eliminated (Thomas, Abstract, Para [0344-0346]: … In another aspect, the platform may be used to mitigate phishing attacks or other malicious activity deployed through electronic mail or similar communications media. For example, a local security agent on a managed device may identify an electronic mail with a suspicious or potentially risky hyperlink or communication. The local security agent may remove or disable this content, and notify the threat management facility which may, in response, send a notification and user interaction to one or more other managed devices of the user. … ); receiving, by the first computing system from the second computing system via the network connection, an indication to apply the first security policy (Thomas, Abstract, Para [0249]: … As shown in step 1806, the method 1800 may include communicating with local security agents on the compute instances through a second interface of the threat management facility, e.g., to deploy security measures or otherwise coordinate security policies and the like within the enterprise network, such as by delivering patches, dictionary updates, and remediations to compute instances from remote providers of security services …); and applying, by the agent on the first computing system, the first security policy (Thomas, Abstract, Para [0067, 0084]: … In an embodiment, security management facility 122 may provide for web security and control, for example, to detect or block viruses, spyware, malware, unwanted applications, help control web browsing, and the like, which may provide comprehensive web access control enabling safe, productive web browsing. Web security and control may provide Internet use policies, reporting on suspect compute instances, security and content filtering, active monitoring of network traffic, URI filtering, and the like. Aspects of the web security and control may be provided, for example, in the security agent of an endpoint 12 …).” Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thomas into the combined teachings of Mani-Israel, because it discloses that, “In embodiments, information may be sent from the enterprise facility 102 to a third party, such as a security vendor, or the like, which may lead to improved performance of the threat management facility 100. In general, feedback may be useful for any aspect of threat detection. For example, the types, times, and number of virus interactions that an enterprise facility 102 experiences may provide useful information for the preventions of future virus threats. Feedback may also be associated with behaviors of individuals within the enterprise, such as being associated with most common violations of policy, network access, unauthorized application loading, unauthorized external device use, and the like. In embodiments, feedback may enable the evaluation or profiling of client actions that are violations of policy that may provide a predictive model for the improvement of enterprise policies (Thomas, Para [0071])”. Regarding Claim 10. (Previously Presented) The combination of Mani-Israel discloses the computer-implemented method of claim 9, however it does not explicitly teach but Thomas from same or similar field of endeavor teaches: “further comprising: receiving, by the first computing system from the second computing system via the network connection, an indication that the security threat has been eliminated (Thomas, Abstract, Para [0344-0346]: … In another aspect, the platform may be used to mitigate phishing attacks or other malicious activity deployed through electronic mail or similar communications media. For example, a local security agent on a managed device may identify an electronic mail with a suspicious or potentially risky hyperlink or communication. The local security agent may remove or disable this content, and notify the threat management facility which may, in response, send a notification and user interaction to one or more other managed devices of the user. … ); and sending, from the first computing system to the second computing system via the network connection, an indication to apply the first security policy (Thomas, Abstract, Para [0249]: … As shown in step 1806, the method 1800 may include communicating with local security agents on the compute instances through a second interface of the threat management facility, e.g., to deploy security measures or otherwise coordinate security policies and the like within the enterprise network, such as by delivering patches, dictionary updates, and remediations to compute instances from remote providers of security services …).” Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thomas into the combined teachings of Mani-Israel, because it discloses that, “In embodiments, information may be sent from the enterprise facility 102 to a third party, such as a security vendor, or the like, which may lead to improved performance of the threat management facility 100. In general, feedback may be useful for any aspect of threat detection. For example, the types, times, and number of virus interactions that an enterprise facility 102 experiences may provide useful information for the preventions of future virus threats. Feedback may also be associated with behaviors of individuals within the enterprise, such as being associated with most common violations of policy, network access, unauthorized application loading, unauthorized external device use, and the like. In embodiments, feedback may enable the evaluation or profiling of client actions that are violations of policy that may provide a predictive model for the improvement of enterprise policies (Thomas, Para [0071])”. Regarding Claim 18. This claim contains all the same or similar limitations as claim 2, and hence similarly rejected as claim 2. Allowable Subject Matter Claims 5 and 13 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with. See 37 CFR 1.111(b) and MPEP § 707.07(a). Applicant’s response needs to properly address all the rejections/objections. All the independent claims are to be made similar in scope, should the Applicant amends claim as noted above, Reasons for allowance will be furnished upon allowance. Pertinent Prior Arts The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. US 9118708 B2; Oliphant et al.: Oliphant discloses A system, method, and computer program product are provided for a database associating a plurality of device vulnerabilities to which computing devices can be subject with a plurality of remediation techniques that collectively remediate the plurality of device vulnerabilities. Each of the device vulnerabilities is associated with at least one remediation technique. Each remediation technique associated with a particular device vulnerability remediates that particular vulnerability. Further, each remediation technique has a remediation type are selected from the type group consisting of patch, policy setting, and configuration option. Still yet, a first one of the device vulnerabilities is associated with at least two alternative remediation techniques. The system disclosed is operable such that the first mitigation technique and the second mitigation technique involve policy options that are capable of being automatically applied to user-selected multiple devices at once, and are further capable of being applied such that only the first mitigation technique is automatically applied to first user-selected multiple devices, only the second mitigation technique is automatically applied to second user-selected multiple devices, and both the first mitigation technique and the second mitigation technique are automatically applied to third user-selected multiple devices. US 20180343281 A1; Ahuja et al.: Ahuja discloses Systems, methods, and apparatuses for updating security policies in response to detecting attack activity or security threats. In an embodiment, security microservices detect attack activity sent between resources within an internal network. In response, the security microservices correlate the attack activity to externally accessible resources that were the initial entry point for the attack activity to the internal network. Based on this correlation, the security microservices update security policies bi-directionally to prevent the spread of future attack activity in the internal network between resources at a same level in the internal network and between resources at different levels in the internal network. Embodiments described herein generally relate to network security. In particular, embodiments described herein generally relate to systems and methods for updating security policies for network traffic based on detecting activity. US 20180091553 A1; Mandyam et al.: Mandyam discloses methods, devices, and non-transitory processor-readable storage media enabling dynamically modifying the polling frequency of endpoint devices within an endpoint protection system. Various embodiments may include determining, by an endpoint device of a network environment, whether communication device endpoint protection is active on the endpoint device. That is, the endpoint device may check to ensure that anomaly detection software, device health monitors, or other malware detection is in active operation. The endpoint device may adjust, modify, or alter the frequency with which it transmits polling messages to a network server based, at least in part, on a result of the determination as to whether communication device endpoint protection is active. For example, if the endpoint device determines that communication device endpoint protection is active, the endpoint device may reduce the polling frequency. US 20200389432 A1; PANCHALINGAM et al.: PANCHALINGAM discloses application-centric enforcement for multi-tenant workloads with multi-site data center fabrics by: receiving, at a local switch at a first site, a packet from a first host at the first site intended for a second host located at a second site; identifying class identifiers (ID) for the hosts; determining, based on the class IDs, a security policy for transmitting data between the hosts; in response to determining that the security policy indicated that the second site exclusively manages security policies for the hosts' network: setting a policy applied indicator on the packet indicating that enforcement of the security policy is delegated from the first switch to a second switch connected to the second host; including the class IDs in the packet; and transmitting the packet to the second site. Embodiments presented in this disclosure generally relate to network fabrics with sites located at different geographic locations from one another that serve multiple tenants. More specifically, embodiments disclosed herein relate to implementing security policies for a given tenant at multiple sites across a network fabric. US 20210203699 A1; Schmugar: Schmugar discloses Methods, systems, and media for protecting computer systems from user-created objects are provided. In some embodiments, the method comprises: detecting, at a second user device, that an object has been accessed on the second user device; determining whether an exception has occurred by scanning the object on the second user device; in response to determining that the exception has occurred, transmitting, from the second user device to a server, a request for a security policy to be applied by the second user device in connection with the object, wherein the request includes an identifier of the object; receiving, from the server, the security policy; determining, based on the security policy, that the object was created by a first user device associated with an organization the second user device is also associated with; determining whether to allow the object to be accessed by the second user device based on the security policy; and in response to determining that the object is allowed to be accessed, allowing the object to be accessed on the second user device. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364. The examiner can normally be reached on 9AM-5PM EST M-F. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached on (571)270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MAHABUB S AHMED/Examiner, Art Unit 2434 /TESHOME HAILU/Primary Examiner, Art Unit 2434