Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-20 are pending in this office action. Claims 2-3, 9-10 and 12 have been canceled. Claims 19-20 are newly added.
Applicant’s arguments, filed 02/10/2021 and in the corresponding RCE filed 02/24/2021, have been fully considered but they are not persuasive.

Priority
No foreign priority is claimed. Priority is claimed to provisional application filed on 11/27/2017.

Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth 02/24/2021 has been entered.

Response to Arguments
Applicant presents arguments regarding the presence or absence of claimed limitations in the prior art. Applicant has amended the claims and added new claims. The applicable new grounds of rejection are outlined below.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 4-6, 8, 11, 13, 15, 17 and 19-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Soeder (US 2017/0357805 A1).
For claim 1, Soeder teaches a system for preventing execution of malicious scripts, the system comprising: a protected computer having there installed an operating system (Fig. 1 elements 102/105 computing processor that is protected; para 0029-0030 – operating system and related service or mechanism in the OS are installed in the protected computer and perform tasks associated with script program execution); 
a script checking engine installed in the operating system, the script checking engine intercepts scripts that originate from application programs and are directed to be run by a script engine (Fig. 1 element 105; para 0015, 0019-0021, 0023, 0026, 0036 – script monitor and control script checking engine detecting and monitoring arrival of script associated with an API or coming from a program); 
the script checking engine receives the scripts and execution environment before execution by the script engine (para 0021, 0023, 0026, 0029 – scripts arrive at the script checking engine i.e. scripts are received by the engine, wherein the script document, and corresponding associated program are received along with runtime execution environment), 
the script checking engine determines if the scripts are malicious based upon a local origin of the script on the protected computer, and if the script checking engine determines that the scripts are not malicious based upon the local origin, the script checking engine passes the script to the script engine (para 0021-0023, 0030-0031, 0036 – various script contexts or relevant data including local origin such as temporary folder utilized for monitoring of scripts and determining scripts that are likely to be malicious which are prevented from further execution, and the scripts are allowed to execute if not found to be malicious).

For claim 4, Soeder teaches wherein the script checking engine determines that the script is malicious if the local origin of the script is from a temporary folder, the temporary folder in a persistent storage operatively coupled to the protected computer (para 0018, 0021, 0023, 0030-0031, 0036-0037 – various script contexts including local origin of temporary folder utilized for monitoring of scripts and determining malicious scripts, the files or folders stored in the storage).

For claim 5, Soeder teaches the system for preventing execution of malicious scripts of claim 4, and further teaches wherein the script checking engine determines that the script is malicious if the local origin of the script is a local program that is known to be used for launching malicious scripts (para 0015-0017, 0037-0042 – scripts launched by certain programs that are known to also launch or execute malicious scripts; para 0022, 0026, 0028, 0031, 0036 – script origination environment or programs such as VBE are monitored to determine that the launched script is malicious).

For claim 6, Soeder teaches wherein the script checking engine determines that the script is malicious if the local origin of the script is from an environment variable, the environment variable being from a run-time environment of the protected computer (para 0006, 0035-0037 – script file or document context information comprising file path, URL etc. that are environment variables that may change based on file/script locations, or in other words, these are context variables that define script context such as file path etc. corresponding to script execution in a run-time execution environment, wherein the origin such as temporary folder is indicated by file path).

For claim 8, Soeder teaches a method of preventing execution of malicious scripts, the method comprising: intercepting a script that originate from an application program running on a protected computer before directing the script to a script engine (Fig. 1 elements 102/105 computing processor that is protected; Fig. 1 element 105; para 0015, 0019-0021, 0023, 0026, 0030, 0036 – script monitor and control script checking engine detecting and monitoring arrival of script associated with an API or coming from a program, wherein scripts arrive at the script checking engine, and the script document, and corresponding associated program are received); 
determining if the script is malicious; the determining including determining a local origin of the script on the protected computer and declaring that the script is malicious based upon the local origin of the script, and if the script is not malicious, passing the script to the script engine (para 0021-0023, 0030-0031, 0036 – various script contexts or relevant data including local origin such as temporary folder utilized for monitoring of scripts and determining scripts that are likely to be malicious which are prevented from further execution, and the scripts are allowed to execute if not found to be malicious); and 
if the script is malicious, logging an attempt to execute a malicious script and informing about the attempt to execute the malicious script (para 0022-0023, 0049-0050 – script monitoring wherein the execution of malicious scripts may be noted (logged or recognized) in order to further partially or fully prevent the script from execution, wherein the backend server collects reports or information from the SMCs and alerts are logged or sent out based on determination).

For claim 11, Soeder teaches wherein the step of determining if the script is malicious includes determining if the local origin of the script is from a temporary folder, the temporary folder in a persistent storage operatively coupled to the protected computer, and if the local origin of the script is the temporary folder, the script is flagged as malicious (para 0018, 0021, 0023, 0030-0031, 0036-0037 – various script contexts including local origin of temporary folder utilized for monitoring of scripts and determining likelihood of malicious scripts and flagging or categorizing them as malicious or risky for execution, the files or folders stored in the storage).

For claim 13, Soeder teaches wherein the step of determining if the script is malicious includes determining if the local origin of the script is from an environment variable, the environment variable being from a run-time environment of the protected computer, and if the local origin of the script is the environment variable, the script is flagged as malicious (para 0006, 0035-0037 – script file or document context information comprising file path, URL etc. that are environment variables that may change based on file/script locations, or in other words, these are context variables that define script context such as file path etc. corresponding to script execution in a run-time execution environment, wherein the origin such as temporary folder is indicated by file path and determining likelihood of malicious scripts and flagging or categorizing them as malicious or risky for execution).

For claim 15, Soeder teaches a method of preventing execution of malicious scripts, the method comprising: intercepting a script that originate from an application program running on a protected computer before directing the script to a script engine (Fig. 1 elements 102/105 computing processor that is protected; Fig. 1 element 105; para 0015, 0019-0021, 0023, 0026, 0036 – script monitor and control script checking engine detecting and monitoring arrival of script associated with an API or coming from a program, wherein scripts arrive at the script checking engine, and the script document, and corresponding associated program are received); 
determining a local origin of the script on the protected computer; determining if the script is malicious by analyzing the local origin of the script and if the script originated from the group consisting of an environmental variable, a registry key, and a temporary folder, the script is malicious (para 0018, 0021, 0023, 0030-0031, 0036-0037 – various script contexts including the local origin (one origin) of temporary folder utilized for monitoring of scripts and determining malicious scripts, and flagging or categorizing them as malicious and risky for execution; para 0006, 0035-0037 – script file or document context information comprising file path, URL etc. that are environment variables that may change based on file/script locations, or in other words, these are context variables that define script context such as file path etc. corresponding to script execution in a run-time execution environment, wherein the origin (one origin) such as temporary folder is indicated by file path and determining likelihood of malicious scripts and flagging or categorizing them as malicious or risky for execution);
 if the script is malicious, suppressing execution of the script; and if the script is not malicious, forwarding the script to the script engine and executing the script (para 0021-0023, 0030-0031, 0036 – various script contexts or relevant data including local origin such as temporary folder utilized for monitoring of scripts and determining scripts that are likely to be malicious which are prevented from further execution, and the scripts are allowed to execute if not found to be malicious).

For claim 17, Soeder teaches a wherein the step of suppressing execution of the script further includes a step of logging information regarding the script that has been found to be malicious (para 0022-0023, 0049-0050 – script monitoring wherein the execution of malicious scripts may be noted (logged or recognized) in order to further partially or fully prevent the script from execution, wherein the backend server collects reports from the SMCs and alerts are logged or sent out as part of the process or determination).

For claim 19, Soeder teaches wherein the script checking engine determines that the script is malicious if the program that tries to run the script is a program that is known to run malicious scripts (para 0015-0017, 0037-0042 – scripts launched by certain programs that are known to also launch or execute malicious scripts; para 0022, 0026, 0028, 0031, 0036 – script origination environment with programs such as Winword or VBE that are known to carry malicious scripts are utilized for determining likelihood of malicious scripts and flagging or categorizing them as malicious or risky for execution).

For claim 20, Soeder teaches wherein the step of determining if the script is malicious includes determining which program is trying to run the script, and if the program that is trying to run the script is known to run malicious scripts, the script is flagged as malicious (para 0015-0017, 0037-0042 – scripts launched by certain programs that are known to also launch or execute malicious scripts; para 0022, 0026, 0028, 0031, 0036 – script origination environment with programs such as Winword or VBE that are known to carry malicious scripts are utilized for determining likelihood of malicious scripts and flagging or categorizing them as malicious or risky for execution).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 7, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Soeder (US 2017/0357805 A1), in view of Porter et al. (US 2007/0261051 A1, Porter hereinafter).
For claim 7, although Soeder teaches preventing running of scripts or programs based on certain contexts such as script file location or based on behavioral contexts as discussed above and in para 0036, Soeder does not expressly teach, however Porter teaches wherein the script checking engine determines that the script is malicious if the local origin of the script is from a registry key, the registry key being from a registry of the protected computer (para 0007, 0021, 0026 – unauthorized or malicious script/software is identified by registry keys and executing from the registry wherein such programs are prevented from running from resources such as registry).
Therefore, based on Soeder in view of Porter, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Porter in the system of Soeder, in order to incorporate any number of other factors that are routinely deemed as security risks based on location or behavior, in determination of program maliciousness, thereby improving system’s accuracy in maliciousness detection and system protection capabilities. (Porter para 0002, 0007). One would also be motivated to incorporate this well-known aspect of registry tampering and unauthorized program/script origination based on illegally created or modified registry keys, as disclosed by Porter.

For claim 14, although Soeder teaches preventing running of scripts or programs based on certain contexts such as script file location or based on behavioral contexts as discussed above and in para 0036, Soeder does not expressly teach, however Porter teaches wherein the step of determining if the script is malicious includes determining if the local origin of the script is from a registry key, the registry key being from a registry of the protected computer, and if the local origin of the script is the registry key, the script is flagged as malicious (para 0007, 0021, 0026 – unauthorized or malicious script/software is identified by registry keys and executing from the registry wherein such programs are prevented from running from resources such as registry and flagging or categorizing files as malicious or risky for execution).
Therefore, based on Soeder in view of Porter, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Porter in the system of Soeder, in order to incorporate any number of other factors that are routinely deemed as security risks based on location or behavior, in determination of program maliciousness, thereby improving system’s accuracy in maliciousness detection and system protection capabilities. (Porter para 0002, 0007). One would also be motivated to incorporate this well-known aspect of registry tampering and unauthorized program/script origination based on illegally created or modified registry keys, as disclosed by Porter.


Claim 16 and 18 is rejected under 35 U.S.C. 103 as being unpatentable over Soeder (US 2017/0357805 A1), in view of Daswani et al. (US 8,656,491 B1, Daswani hereinafter).
For claim 16, Soeder teaches the claimed subject matter as discussed above, and although Soeder teaches taking into account many attributes associated with the script in order to determine if the script is malicious and preventing its execution (para 0026, 0036), wherein checking one or more features associated with script attributes would be an obvious factor considered with regards to checking against blacklists for legitimacy of the script, Soeder does not appear to explicitly teach, however Daswani teaches step of transferring the script that has been found to be malicious to a server for further analysis (col. 4 lines 65-67; col. 5 lines 30-40; col. 6 lines 23-64 – in a second phase analysis, malicious files are passed to servers that perform other detection tasks to ensure maliciousness, wherein the analyzer 212 in detection engine of the server or system 102 analyzes various contents including scripts sent over to, or received by the server). Therefore, based on Soeder in view of Daswani, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Daswani in the system of Soeder, in order to enhance security of the system by conducting further security analysis of the script or the code in order to avoid false positives and/or to identify the cause or other factors associated with malicious, thereby making system more intelligent for malware detection and secure.

For claim 18, Soeder teaches the claimed subject matter as discussed above, and although Soeder teaches logging or notifying about information regarding the script that has been found to be malicious (para 0022-0023, 0049-0050) wherein it would be obvious to notify or send alerts to users while partially or fully prevent the scripts from executing, Soeder does not appear to explicitly teach, however Daswani teaches wherein the step of suppressing execution of the script further includes a step of informing a user of the computer that the script has been found to be malicious (col. 2 line 54 – col. 3 line 2; col. 3 lines 28-39; col. 4 lines 55-64; col. 7 lines 48-55 – sending alerts about malicious content which could be scripts, to a user or admin).

    
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433