DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 04/21/2021, 06/01/2021 and 06/02/2021 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly an initialed and dated copy of Applicant's IDS form 1449 filed 04/21/2021, 06/01/2021 and 06/02/2021 are attached. 

Acknowledgements
This communication is in response to
Application claim amendments filed on 03/15/2021, and 
Authorization for the below examiner’s claim amendments was given by email by Ms. Myrna Schelling (Reg. No. 54,426) on 06/01/2021.

The amendments filed on 03/15/2021 have been entered.
The below claims amendments overcome the USC 112(b) and USC 103 rejections previously set forth in the Office Action mailed on 12/15/2020.

An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Examiner’s Amendment
Note: Proposed amendments marked manually with underlining and 

Abstract
A malicious code detection module identifies potentially malicious instructions in volatile memory of a computing device before the instructions are executed. The malicious code detection module identifies an executable file, including an .exe file, in memory, validates one or more components of the executable file against the same file stored in non-volatile storage, and issues an alert if the validation fails. 

Claims
1. (Currently Amended) A method of validating an executable file to identify potential malware in a computing device comprising a processor, memory, non-volatile storage, an operating system, and a malicious code detection module, the method comprising: 
identifying, by the malicious code detection module, a first executable file in the memory, the first executable file including: 
a first plurality of components that are altered by the operating system when loaded into the memory, and 

identifying, by the malicious code detection module, a second executable file in the non-volatile storage, wherein the first executable file and the second executable file are associated with one another by the operating system; 
determining that the second executable file has been compressed and/or encrypted using software packing; determining whether the second executable file is capable of being unpacked; unpacking the second executable file  when the second executable file  is capable of being unpacked; 
comparing, by the malicious code detection module, a size of a first component of [[a]] the second plurality of components of the first executable file and a size of a first component of [[the]] a second plurality of components of the second executable file, 
wherein comparing includes accounting for changes to the second executable file caused by the unpacking of the second executable file, and further wherein when the second executable file has not been compressed and/or encrypted using software packing, the changes need not be accounted for, and 
29392US/9392/ELASTIgenerating an alert when the size of the first component of the second plurality of components of the first executable file and the size of the first component of the second plurality of components of the second executable file are different in terms of a number of bytes and bit-by-bit comparison; 
wherein the first component of the second plurality of components of the first executable file is less than the entirety of the first executable file and the first component 

2. (Previously Presented) The method of claim 1, further comprising: comparing, by the malicious code detection module, the content of a first component of the second plurality of components of the first executable file and the content of a first component of the second plurality of components of the second executable file, and generating an alert when the content of the first component of the second plurality of components of the first executable file and the content of the first component of the second plurality of components of the second executable file are different.  

3. (Previously Presented) The method of claim 2, further comprising: comparing, by the malicious code detection module, a size of a second component of the second plurality of components of the first executable file and a size of a second component of the second plurality of components of the second executable file, and generating an alert when the size of the second component of the second plurality of components of the first executable file and the size of the second component of the second plurality of components of the second executable file are different; wherein the second component of the first executable file is less than the entirety of the first executable file and the second component of the second executable file is less than the entirety of the second executable file.  



5. (Original) The method of claim 1, wherein the first executable file is a portable executable file and the second executable file is a portable executable file.  

6. (Original) The method of claim 2, wherein the first executable file is a portable executable file and the second executable file is a portable executable file.  

7. (Original) The method of claim 3, wherein the first executable file is a portable executable file and the second executable file is a portable executable file.  

8. (Original) The method of claim 4, wherein the first executable file is a portable executable file and the second executable file is a portable executable file.  

9. (Previously Presented) The method of claim 5, wherein the first component of the second plurality of components of the first executable file is a DOS header and the 

10. (Previously Presented) The method of claim 9, wherein the second component of the second plurality of components of the first executable file is a set of code and the second component of the second plurality of components of the second executable file is a set of code.  

11. (Currently Amended) A computing device comprising: a processor; memory; a non-volatile storage device; 
an operating system; and a malicious code detection module stored in the memory and executed by the processor, the malicious code detection module comprising instructions for: 
identifying a first executable file in the memory, the first executable file including: 
a first plurality of components that are altered by the operating system when loaded into the memory, and 
a second plurality of components that are not altered by the operating system when loaded into the memory; 
identifying a second executable file in the non-volatile storage, wherein the first executable file is associated with the second executable file by the operating system; 
determining that the second executable file has been compressed and/or encrypted using software packing; determining whether the second executable file is capable of being unpacked; unpacking the second executable file when the second executable file is capable of being unpacked; 
comparing a size of a first component of [[a]] the second plurality of components of the first executable file and a size of a first component of a second plurality of components of the second executable file, wherein comparing includes accounting for changes to the second executable file caused by the unpacking of the second executable file, and further wherein when the second executable file has not been compressed and/or encrypted using software packing, the changes need not be accounted for; 
identifying permissible modifications to the first executable file based on execution of the first executable file; and 
generating an alert if the size of the first component of the second plurality of components of the first executable file and the size of the first component of the second plurality of components of the second executable file are different in terms of a number of bytes and bit-by-bit comparison, 
wherein the alert is not triggered when the difference relates to the permissible modifications; wherein the first component of the second plurality of components of the first executable file is less than the entirety of the first executable file and 59392US/9392/ELASTIthe first component of the second plurality of components of the second executable file is less than the entirety of the second executable file.  

12. (Previously Presented) The device of claim 11, wherein the malicious code detection module further comprises instructions for: comparing the content of the first 

13. (Previously Presented) The device of claim 12, wherein the malicious code detection module further comprises instructions for: comparing a size of a second component of the second plurality of components of the first executable file and a size of a second component of the second plurality of components of the second executable file, and generating an alert if the size of the second component of the second plurality of components of the first executable file and the size of the second component of the second plurality of components of the second executable file are different; wherein the second component of the first executable file is less than the entirety of the first executable file and the second component of the second executable file is less than the entirety of the second executable file.  

14. (Previously Presented) The device of claim 12, wherein the malicious code detection module further comprises instructions for: comparing, by the malicious code detection module, the content of the second component of the second plurality of components of the first executable file and the 69392US/9392/ELASTIcontent of the second component of the second plurality of components of the second executable file, and generating an alert if 

15. (Original) The device of claim 11, wherein the first executable file is a portable executable file and the second executable file is a portable executable file.  

16. (Original) The device of claim 12, wherein the first executable file is a portable executable file and the second executable file is a portable executable file.  

17. (Original) The device of claim 13, wherein the first executable file is a portable executable file and the second executable file is a portable executable file.  

18. (Previously Presented) The device of claim 13, further comprising resolving changes to an import address table for the first executable file.  

19. (Previously Presented) The device of claim 15, wherein the first component of the second plurality of components of the first executable file is a DOS header and the first component of the second plurality of components of the second executable file is a DOS header.  

20. (Previously Presented) The device of claim 19, wherein the second component of the second plurality of components of the first executable file is a set of 

21. (Original) The method of claim 1, the method further comprising: decrypting at least one second plurality of components when loading into the memory, wherein at least one of the second plurality of components is encrypted.  

22. (Original) The method of claim 1, the method further comprising: decompressing at least one second plurality of components when loading into the memory, wherein at least one of the second plurality of components is compressed. 

Allowable Subject Matter
Above Claims 1-22 are allowed.
The following is a statement of reasons for indication of allowable subject matter.
Cited and relevant prior art of record:
Stapleton et. al. (US 10,045,218 B1),
Oerting et. al. (US 20060026569 A1),
Ye (US 20100293615 A1),
Muzammil et. al. (US 20140032915 A 1)
Drew (US 20130283030 A1).

Oerting discloses Dynamic run-time verification of a module which is loaded in memory for execution, where a portion loaded into memory is authenticated with 
While the above prior arts disclose the aforementioned concepts, however, none of the above prior arts, individually or in combination, discloses the all limitations in the manner recited in the independent claims. Specifically, none of the above prior art discloses the limitations pertaining to the size, in terms of number of bytes and bit-by-bit comparison, of the first component of the second plurality of components of the execution files, where comparison is performed and accounting for unpacking of the second executable file, this is in addition to the remaining limitations in the independent claims. Therefore, the above limitations in conjunction with the remaining limitations of the independent claims render the above independent claims allowable.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BASSAM A NOAMAN whose telephone number is (571)272-2705.  The examiner can normally be reached on Monday-Friday 8:30 AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

/BASSAM A NOAMAN/Examiner, Art Unit 2497                                                                                                                                                                                                        /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497