Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/11/2021 has been entered.

Response to Arguments
In communications filed on 11/16/2021, claims 1-20 are presented for examination. Claims 1, 11, and 16 are independent.
Amended claim(s): 1, 11, and 16.

Specification
The amendment filed 11/11/21 is objected to under 35 U.S.C. 132(a) because it introduces new matter into the disclosure.  35 U.S.C. 132(a) states that no amendment shall The following limitations in claim 1 are not supported: “the memory storing a data structure that identifies at least one application server; select, automatically without user direction, an application server of the at least one application server.” Claims 11 and 16 recite substantially the same limitations. A review of Applicant’s disclosure including ¶0023-¶0024, ¶0055-¶0059, ¶0077-¶0086 doesn’t show support for the highlighted portions of the aforementioned limitations. Note the only reference to a data structure is in reference to Fig. 9 and the data structure is used to collect data including application/process name and related information after the executable accesses a banking website; after collecting the data in the data structure, the data structure is transmitted to a removal manager as explained in ¶0053-¶0059 of Applicant’s disclosure. There is no support for “the memory storing a data structure that identifies at least one application server” and “select,…, an application server of the at least one application server.” Executable 404 accesses a website (i.e., application server), however, there is no support for a data structure storing multiple application servers from which the executable 404 selects one application server. 


Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 1, 11, 16 and their respective dependent claims are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 10 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim recites: “take the client device out of the quiescent state after receiving a second message, instead of the message, from the analysis server indicative that the malicious application is not present.” The scope of claim is ambiguous as it is not clear what it means by “instead of the message.”

Double Patenting
1. 	A rejection based on double patenting of the "same invention" type finds its support in the language of 35 U.S.C. 101 which states that "whoever invents or discovers any new and useful process ... may obtain a patent therefor ..." (Emphasis added). Thus, the term "same invention," in this context, means an invention drawn to identical subject matter. See Miller v. Eagle Mfg. Co., 151 U.S. 186 (1894); In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957); and In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970).

2.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

Claims 1, 11, 16 is rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claim 1, 7, and 17 of US 9659175 B2. Although the conflicting claims are not identical, they are not patentably distinct from each other because all the limitations recited in the independent claims 1, 11, 16 of the present application and are broader than limitations recited in independent claim 1, 7, and 17 of US 9659175 B2.      
Claims 1, 11, 16 is rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claim 1, 10, and 16 of US 10235524 B2. Although the conflicting claims are not identical, they are not patentably distinct from each other because all the limitations recited in the independent claims 1, 11, 16 of the present application and are broader than limitations recited in independent claim 1, 10, and 16 of US 10235524 B2.      

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of pre-AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on sale in this country, more than one year prior to the date of application for patent in the United States.


Claim(s) 1 is/are rejected under pre-AIA  35 U.S.C. 102(b) as being anticipated by Mahaffey et al., (US 20110047597 A1, hereinafter ‘Mahaffey’) disclosed in the IDS filed 6/12/20.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and 

The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 1-9 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Mahaffey et al., (US 20110047597 A1, hereinafter ‘Mahaffey’) in view of US 20110239300 A1 (hereinafter ‘Klein’) in view of US 8707437 B1 (hereinafter ‘Ming’).

As regards claim 1, Mahaffey discloses: An apparatus comprising: a client device including a processor and a memory, the client device being communicatively coupled to a network, (Mahaffey: Fig. 1 ie the client and the server ¶29-¶36; ¶69-¶70; ¶31-¶34) the memory storing a data structure that identifies at 
 an executable application including instructions stored in the memory, which when executed, cause the processor to: collect data regarding processes operating on the client device…, (Mahaffey: Fig. 1 ie the client and the server ¶29-¶36; ¶66, i.e., “For example, if a process on a mobile communication loads multiple components from different vendors and network data can only be gathered on a per-process level, and/or if the process is detected to be connecting to a known malicious server…”; see also ¶84)
However, Mahaffey does not explicitly disclose: during a period of time. 
In analogous art, Klein discloses triggering and detecting a malware that connects through a web browser to a server based on time period of the connection (Klein: ¶40-¶44; ¶¶60-65).
At the time the invention was made it would have been obvious to one of ordinary skill in the art to modify Mahaffey to include malware trigger and detection by a server when the computer accesses a website (i.e., application server) (Klein: ¶30-¶31; ¶40-¶44) and wherein the server uses timing measurement to determine if any modifications where made by a malicious application within milliseconds with the motivation to detect the presence of malware on the client computer (Klein: ¶65-¶66)

At the time the invention was made it would have been obvious to one of ordinary skill in the art to modify Mahaffey et al to include malware trigger and detection when a computer automatically accesses application servers (i.e., application server) with the motivation to detect malware on the computer (Ming: Figs. 3-6, col.3:50 to col.5:67)
Mahaffey et al combination further discloses: purposefully access, during the time period, the selected application server via the network using a web browser on the client device in an attempt to trigger a malicious application potentially located on the client device, and (Mahaffey: Fig. 1 i.e., the client and the server ¶29-¶36; ¶66, i.e., “For example, if a process on a and/or if the process is detected to be connecting to a known malicious server…”; see also ¶84. See also, Klein: ¶40-¶44; ¶¶60-65. See also, Ming: Figs. 3-6, col.3:50 to col.5:67, i.e., the keylogger module that selects an application server to be accessed via a browser or other application wherein the keylogger performs the action of selecting the application server (i.e., sensitive site), launching the browser to the application server, entering the user credentials automatically and without user intervention, and wherein the keylogger module monitors the system for any changes to the system while the sensitive application server is being accessed)
transmit, after the time period, the collected data to an analysis server to determine whether the malicious application is located on the client device. (Mahaffey: Fig. 1 ie the client and the server ¶29-¶36, wherein ¶126-¶129, the client sends the collected data to the server for assessment. See also, Klein: ¶40-¶44; ¶¶60-65)

As regards Claim 2, Mahaffey et al combination discloses the apparatus of Claim 1, wherein the executable application includes further instructions, which when executed, cause the processor to select the application server based on the and/or if the process is detected to be connecting to a known malicious server…”; see also ¶84. See also, Klein: ¶40-¶44; ¶¶60-65. See also, Ming: Figs. 3-6, col.3:50 to col.5:67, i.e., the keylogger module that selects an application server to be accessed via a browser or other application wherein the keylogger performs the action of selecting the application server (i.e., sensitive site), launching the browser to the application server, entering the user credentials automatically and without user intervention, and wherein the keylogger module monitors the system for any changes to the system while the sensitive application server is being accessed)

As regards Claim 3, Mahaffey et al combination discloses the apparatus of Claim 1, wherein the executable application includes further instructions, which when executed, cause the processor to access the application server by at least one of performing a data operation with the application server, or carrying out a transaction with the application server. (Mahaffey: Fig. 1 i.e., the client and the server ¶29-¶36; ¶66, and/or if the process is detected to be connecting to a known malicious server…”; see also ¶84. See also, Klein: ¶40-¶44; ¶¶60-65. See also, Ming: Figs. 3-6, col.3:50 to col.5:67, i.e., the keylogger module that selects an application server to be accessed via a browser or other application wherein the keylogger performs the action of selecting the application server (i.e., sensitive site), launching the browser to the application server, entering the user credentials automatically and without user intervention, and wherein the keylogger module monitors the system for any changes to the system while the sensitive application server is being accessed)

As regards Claim 4, Mahaffey et al combination discloses the apparatus of Claim 1, wherein the executable application includes further instructions, which when executed, cause the processor to place the client device into a quiescent state before or during the time period. (Mahaffey: ¶127, i.e., generating the baseline upon startup of the device or when the monitoring application is first launched)

Claim 6, Mahaffey et al combination discloses the apparatus of Claim 1, wherein the executable application is located at the analysis server. (Mahaffey: ¶36)

As regards Claim 7, Mahaffey et al combination discloses the apparatus of Claim 1, wherein the processes operating on the client device include related performance data metrics. (Mahaffey: ¶36-¶43)

As regards Claim 8, Mahaffey et al combination discloses the apparatus of Claim 1, wherein the executable application includes further instructions, which when executed, cause the processor to: start the time period for the collection of data before the access of the application server; and end the time period after a specified number of minutes after the application server was accessed. (Mahaffey: ¶126-¶128, i.e., scan of the device is performed before, during, after applications are launched and periodically at intervals to determine if any anomalous behavior is observed)

As regards Claim 9, Mahaffey et al combination discloses the apparatus of Claim 1, wherein the executable application includes further instructions, which when executed, cause the processor to: receive a message from the analysis server 

Claim 5 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Mahaffey in view of Klein in view of Sun in view of US 8161552 B1 (hereinafter ‘Sun’).

As regards Claim 5, Mahaffey et al combination discloses the apparatus of Claim 1, wherein the executable application includes further instructions, which when executed, cause the processor to collect the data regarding the processes operating on the client device by receiving information . (Mahaffey: Fig. 1 i.e., the client and the server ¶29-¶36; ¶66, i.e., “For example, if a process on a mobile communication loads multiple components from different vendors and network data can only be gathered on a per-process level, and/or if the process is detected to be connecting to a known malicious server…”; see 
Although, Mahaffey et al do not explicitly disclose the commonly used Microsoft tool for collecting task/process information, at the time the invention was made it was well-known to skilled artisan that Microsoft task manager/WINAPI provided on Microsoft OS provides process/task information. See e.g., Sun (US 8161552 B1) from at least one of a task manager and a Windows Application Programmable Interface. (Sun: col. 4:7-20, i.e., task manager providing information on processes). A skilled artisan would have been motivated to use well-known Microsoft OS task manager tool to gather information about tasks/processes executing on the computing device to find applications on the system (Sun: col. 4:7-20)  

Claim 11-13, 15-17, 19, 20 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Mahaffey in view of Ming.

As regards claim 11, Mahaffey discloses: A machine-accessible device having instructions stored thereon that, when executed, cause a machine to at least: store to a memory device a data structure that identifies at least application server; (Mahaffey: Fig. 1 ie the client and the server ¶29-¶36; ¶69-¶70; ¶31-¶34; ¶66, ¶125, i.e., list of applications installed on the device)  
However, Mahaffey et al do not but in analogous art, Ming (US 8707437 B1) teaches: select, automatically without user direction, an application server of the at least one application server; (Ming: Figs. 3-6, col.3:50 to col.5:67, i.e., the keylogger module that selects an application server to be accessed via a browser or other application wherein the keylogger performs the action of selecting the application server (i.e., sensitive site), launching the browser to the application server, entering the user credentials automatically and without user intervention, and wherein the keylogger module monitors the system for any changes to the system while the sensitive application server is being accessed)

At the time the invention was made it would have been obvious to one of ordinary skill in the art to modify Mahaffey et al to include malware trigger and detection when a computer automatically accesses application servers (i.e., application server) with the motivation to detect malware on the computer (Ming: Figs. 3-6, col.3:50 to col.5:67)
collect data regarding processes operating on the client device before and during the access of the selected application server; (Mahaffey: ¶126-¶128, i.e., scan of the device is performed before, during, after applications are launched and periodically at intervals to determine if any anomalous behavior 
transmit the collected data to an analysis server to enable determination as to whether the malicious application is located on the client device; (Mahaffey: Fig. 1 ie the client and the server ¶29-¶36, wherein ¶126-¶129, the client sends the collected data to the server for assessment of the applications)
receive a message from the analysis server indicative of the malicious application; and (Mahaffey: ¶40, ¶96-¶100, ¶178-¶185)
provide an alert indicative of the malicious application on the client device after receiving the message (Mahaffey: ¶40, ¶96-¶100, ¶178-¶185)

Claim 16 recites substantially the same features recited in claim 11 above and is rejected based on the aforementioned rationale discussed in the rejection. Mahaffey et al combination 

As regards Claim 12, Mahaffey et al combination discloses the machine-accessible device of Claim 11, further comprising instructions stored thereon that are configured when executed to cause the machine to at least one of: (a) remove the malicious application from operation on the client device after receiving the message; or (b) prevent the malicious application from interfering or interacting with the client device after receiving the message. (Mahaffey: Fig. 1 i.e., the client and the server ¶29-¶36, wherein ¶126-¶129, the client sends the 

As regards Claim 13, Mahaffey et al combination discloses the machine-accessible device of Claim 12, further comprising instructions stored thereon that are configured when executed to cause the machine to: collect second data regarding second processes operating on the client device after the at least one of (a) or (b); (Mahaffey: ¶44-¶46, ¶126-¶128, ¶40, ¶96-¶100, ¶178-¶185 i.e., scan of the device is performed before, during, after applications are launched and updated/removed and periodically at intervals to determine if any anomalous behavior is observed. See also, Ming: Figs. 3-6, col.3:50 to col.5:67, i.e., the keylogger module that selects an application server to be accessed via a browser or other application wherein the keylogger performs the action of selecting the application server (i.e., sensitive site), launching the browser to the application server, entering the user credentials automatically and without user intervention, and wherein the keylogger module monitors the system for any changes to the system while the sensitive application server is being accessed) access at least 

Claim 17 recites substantially the same features recited in claim 13 above and is rejected based on the aforementioned rationale discussed in the rejection.

As regards Claim 15, Mahaffey et al combination discloses the machine-accessible device of Claim 11, further comprising instructions stored thereon that are configured when executed to cause the machine to: store first information identifying the application server that was purposefully accessed; store second information identifying a time the application server was accessed; and transmit the first information and the second information to the analysis server to enable determination as to 

As regards Claim 19, Mahaffey et al combination discloses the method of Claim 16, further comprising: starting, via the processor, a time period for the collection of data before the access of the application server; and ending, via the processor, the time period after a specified number of minutes after the application server was accessed. (Mahaffey: ¶126-¶128, i.e., scan of the device is performed before, during, after applications are launched and periodically at intervals to determine if any anomalous behavior is observed)

As regards Claim 20, Mahaffey et al combination discloses the method of Claim 16, wherein accessing the application server includes at least one of performing a data operation with the application server, or carrying out a transaction with the application server. (Mahaffey: Fig. 1 i.e., the client and the server ¶29-¶36; ¶66, i.e., “For example, if a process on a mobile communication loads multiple components from different vendors and network data can only be gathered on a per-process and/or if the process is detected to be connecting to a known malicious server…”; see also ¶84. See also, Ming: Figs. 3-6, col.3:50 to col.5:67, i.e., the keylogger module that selects an application server to be accessed via a browser or other application wherein the keylogger performs the action of selecting the application server (i.e., sensitive site), launching the browser to the application server, entering the user credentials automatically and without user intervention, and wherein the keylogger module monitors the system for any changes to the system while the sensitive application server is being accessed)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995. The examiner can normally be reached Monday-Thursday: 5:30AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SYED A ZAIDI/Primary Examiner, Art Unit 2432