DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Amendment filed 08 June 2021 has been received and considered.
Claims 1-26 are pending.

Claim Rejections - 35 USC § 101
The rejection under 35 U.S.C. 101 is withdrawn based on the filed Amendment.

EXAMINER’S AMENDMENT
Authorization for this examiner’s amendment was given in an interview with Michael Zimmerman (Reg. No. 57,993) on 7 July 2021 and follow-up with Andrew R. Varrenti (Reg. No. 78,555) on 16 July 2021.
The application has been amended as follows: 

Listing of Claims:
(Currently Amended) A non-transitory computer readable medium comprising instructions that, when executed, cause a programmable device to at least:
hook a runtime layer used by a scripting language, the runtime layer to be executed by a browser;
in response to a load of a plugin into the browser, generate an alert to notify a security software of the load of the plugin;
in response to the alert, scan the plugin with the security software to determine whether the plugin is malicious;
in response to a first determination that the plugin is malicious, disable the load of the plugin or a load of a script into the plugin;
in response to a second determination that the plugin is not malicious:
intercept execution of an object including the script;
load the script into the plugin to cause an execution of the script; 
record scripting language execution events at runtime, the scripting language execution events caused by execution of [[a]] the script in the scripting language;
transform the recorded scripting language execution events into an execution trace; and
at least one of scan the script in the plugin to detect vulnerabilities associated with execution of the script or analyze the execution trace dynamically for the vulnerabilities 

(Currently Amended) The non-transitory computer readable medium of claim 1, wherein the instructions, when executed, cause the programmable device to:
inform [[a]] the security software of the vulnerabilities.

(Previously Presented) The non-transitory computer readable medium of claim 1, wherein the instructions, when executed, cause the programmable device to:
inject code in the scripting language into scripts executed by the runtime layer.

(Currently Amended) The non-transitory computer readable medium of claim 1, wherein the instructions, when executed, cause the programmable device to:
[[a]] the security software; and
provide information about the vulnerabilities to the security software via the application programming interface.

(Currently Amended) The non-transitory computer readable medium of claim 1, wherein the plugin has a browser plugin interface, and the instructions, when executed, cause the programmable device to:
employ [[a]] the browser plugin interface to perform file-based analysis of the vulnerabilities in the script.

(Currently Amended) The non-transitory computer readable medium of claim 1, wherein the instructions, when executed, cause the programmable device to analyze the execution trace in [[a]] the security software external to the browser.

(Previously Presented) The non-transitory computer readable medium of claim 1, wherein the instructions, when executed, cause the programmable device to:
compare information in the execution trace to a database of known scripting language vulnerabilities.

(Previously Presented) The non-transitory computer readable medium of claim 7, wherein the instructions, when executed, cause the programmable device to:
update the database of known scripting language vulnerabilities.

(Currently Amended) An improved method of protecting a programmable device against malware, comprising:
hooking a runtime layer used by a scripting language, the runtime layer to be executed by a browser;
in response to a load of a plugin into the browser, generating an alert to notify a security software of the load of the plugin;
in response to the alert, scanning the plugin with the security software to determine whether the plugin is malicious;
in response to a first determination that the plugin is malicious, disabling the load of the plugin or a load of a script into the plugin;
in response to a second determination that the plugin is not malicious:
intercepting execution of an object including the script;
loading the script into the plugin to cause an execution of the script; 
recording scripting language execution events at runtime, the scripting language execution events caused by execution of [[a]] the script in the scripting language;
transforming the recorded scripting language execution events into an execution trace; and
at least one of scanning the script in the plugin to detect vulnerabilities associated with execution of the script or analyzing the execution trace dynamically for the vulnerabilities 

(Currently Amended) The method of claim 9, further including:
informing [[a]] the security software of the vulnerabilities.

(Previously Presented) The method of claim 9, wherein hooking the runtime layer includes:
injecting code in the scripting language into scripts executed by the runtime layer.

(Currently Amended) The method of claim 9, further including:
providing an application programming interface for [[a]] the security software; and
delivering information about the vulnerabilities to the security software via the application programming interface.

(Currently Amended) The method of claim 9, wherein the plugin has a browser plugin interface, and further including:
employing [[a]] the browser plugin interface to perform file-based analysis of the vulnerabilities in the script.

(Previously Presented) The method of claim 9, wherein analyzing the execution trace is performed external to the browser.

(Previously Presented) The method of claim 9, wherein analyzing the execution trace includes:
comparing information in the execution trace to a database of known scripting language vulnerabilities.

(Previously Presented) The method of claim 15, wherein analyzing the execution trace further includes:
updating the database of known scripting language vulnerabilities by communicating with a remote server.

(Currently Amended) A programmable device programmed with an improved anti-malware protection system, comprising:
at least one memory; 
instructions; and
at least one processing element to execute the instructions to:
hook a runtime layer used by a scripting language, the runtime layer to be executed by a browser;
in response to a load of a plugin into the browser, generate an alert to notify a security software of the load of the plugin;
in response to the alert, scan the plugin with the security software to determine whether the plugin is malicious;
in response to a first determination that the plugin is malicious, disable the load of the plugin or a load of a script into the plugin;
in response to a second determination that the plugin is not malicious:
intercept execution of an object including the script;
load the script into the plugin to cause an execution of the script; 
record scripting language execution events at runtime, the scripting language execution events caused by execution of [[a]] the script in the scripting language;
transform the recorded scripting language execution events into an execution trace; and
at least one of scan the script in the plugin to detect vulnerabilities associated with execution of the script or analyze the execution trace dynamically for the vulnerabilities 

(Currently Amended) The programmable device of claim 17, wherein the at least one processing element is to:
inform [[a]] the security software of the vulnerabilities.

(Previously Presented) The programmable device of claim 17, wherein the at least one processing element is to:
inject code in the scripting language into scripts executed by the runtime layer.

(Currently Amended) The programmable device of claim 17, wherein the at least one processing element is to:
provide an application programming interface for [[a]] the security software; and
provide information about the vulnerabilities to the security software via the application programming interface.

(Currently Amended) The programmable device of claim 17, wherein the at least one processing element is to:
employ a browser plugin interface of the plugin to perform file-based analysis of vulnerabilities in the script.

(Currently Amended) The programmable device of claim 17, wherein the at least one processing element is to analyze the execution trace in [[a]] the security software external to the browser.

(Previously Presented) The programmable device of claim 17, wherein the at least one processing element is to:
compare information in the execution trace to a database of known scripting language vulnerabilities.

(Previously Presented) The programmable device of claim 23, wherein the at least one processing element is to:
update the database of known scripting language vulnerabilities.

(Currently Amended) The non-transitory computer readable medium of claim 1, wherein the instructions, when executed, cause the programmable device to:
deliver an encrypted object to the runtime layer, the encrypted object including the script;
decrypt the encrypted object to expose the script for execution by the runtime layer; 
execute the script in the runtime layer to generate the 
scan the 
and
in response to detecting an exploit based on the scan, disable at least one of the runtime layer, the execution of the script, or a web application of the browser.

(Canceled) 


Allowable Subject Matter
Claims 1-25 are allowed.
The following is an examiner’s statement of reasons for allowance: the prior art teaches detecting malicious and vulnerable portions of scripts at runtime, generally teaches the use of plugins for performing various actions including scanning for malware/vulnerabilities, but fails to render the combination of elements put forth in each independent claim obvious.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the references put forth on the PTO-892 form are directed to scanning scripts, using plugins, or handling encrypted scripts for malware detection.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875.  The examiner can normally be reached on Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571) 270-3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/Michael Pyzocha/Primary Examiner, Art Unit 2419