DETAILED ACTION
 	Claims 2-7, 9-14, 16 and 19 are pending. Claims 1, 8, 15, 17-18 and 20 are canceled. This is in response to Applicant’s amendments and arguments filed on January 28, 2022.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Claim Amendments
Authorization for this examiner’s amendment was given in an interview with Michelle Leveque on February 16, 2022.

The application has been amended as follows: 

 (cancelled)

(Currently Amended) A machine-implemented vulnerability detection method for a local electronic device in a system of electronic devices, comprising:
determining a distinguishing characteristic of at least one version of a computer program in a format as installed in usable form on at least one local electronic device to distinguish said at least one version of said computer program in said format from at least one further version of said computer program in said format;
at least one of generating at a remote device and receiving at said local device at least one indication of a defect giving rise to vulnerability to malicious activity in a portion of at least one of code and data;
determining that said portion is used by said at least one version;
maintaining a mapping between said at least one version of said computer program and said at least one indication;
creating a first scanning rule comprising said distinguishing characteristic and said indication;
creating a second scanning rule according to a level of trust for a scanner, said level of trust including one of an access control level in an access control hierarchy, a memory privilege key, and an administrator permission level above a user permission level;
storing said first and said second scanning rule in at least one of said local device and a remote device;
scanning according to said stored first scanning rule only portions of storage on said local device that are available according to said second scanning rule to detect instances of said distinguishing characteristic in at least one usable computer program in at least one of an installed state and a to-be-installed state thereon, the act of scanning being performed by at least one of said local device and said remote device; and
responsive to a determination that said electronic device has an installed instance of said at least one version of said computer program according to said distinguishing characteristic of said first scanning rule, emitting an alert signal indicating that said electronic device is vulnerable to said malicious activity according to said indication, said alert signal causing restricting use of said local device until said local device has its vulnerable status removed, said alert signal causing restricting use of said local device until said local device has its vulnerable status removed.

(Previously presented) The method of claim 2, said determining a distinguishing characteristic comprising finding at least one of a clear text instance of a version indicator, an encoding of a version indicator, and a sequence of symbols unique to at least one of said version and a range of versions.

(Previously presented) The method of claim 2, said indication of a defect comprising an indication of an exploitable program data construct.

(Original) The method of claim 4, said exploitable program data construct comprising a stack.

(Previously presented) The method of claim 2, said at least one of code and data comprising at least one of an object, a local code procedure, a remote called procedure, a data definition for defining a portion of a memory, and a cryptographic key structure.

(Previously presented) The method of claim 2, said maintaining a mapping comprising maintaining a mapping in at least one of local volatile storage, local non-volatile storage, remote volatile storage and remote non-volatile storage.

(cancelled)  


(Previously presented) The method of claim 2, said format as installed in usable form comprising at least one of a compiled object format, a compiled and linked object format and a compiled, linked and loaded object format.

 (Previously presented) The method of claim 2, said local electronic device comprising an Internet of Things device.

(Previously presented) The method of claim 2, said remote electronic device comprising at least one of an Internet of Things deployment device and an Internet of Things management server device.

 (Previously presented) The method of claim 2, further comprising, responsive to said alert signal, performing an automated mitigation action.

 (Original) The method of claim 12, said performing an automated mitigation action comprising isolating said electronic device from communication with a remainder of said system of electronic devices.

 (Previously presented) The method of claim 2, wherein said scanning further comprises reversal of relocation effects on said at least one of code and data.

 (cancelled)

16. (Currently Amended) A computer program product stored on a non-transitory medium comprising computer program code to, when executed upon a suitable processor perform: 
determining a distinguishing characteristic of at least one version of a computer program in a format as installed in usable form on at least one local electronic device to distinguish said at least one version of said computer program in said format from at least one further version of said computer program in said format;

at least one of generating at a remote device and receiving at said local device at least one indication of a defect giving rise to vulnerability to malicious activity in a portion of at least one of code and data;

determining that said portion is used by said at least one version;

maintaining a mapping between said at least one version of said computer program and said at least one indication;

creating a first scanning rule comprising said distinguishing characteristic and said indication;

creating a second scanning rule according to a level of trust for a scanner, said level of trust including one of an access control level in an access control hierarchy, a memory privilege key, and an administrator permission level above a user permission level;

storing said first and said second scanning rules in at least one of said local device and a remote device;

scanning according to said stored first scanning rule only portions of storage on said local device that are available according to said second scanning rule to detect instances of said distinguishing characteristic in at least one usable computer program in at least one of an installed state and a to-be-installed state thereon, the act of scanning being performed by at least one of said local device and said remote device; and 

responsive to a determination that said electronic device has an installed instance of said at least one version of said computer program according to said distinguishing characteristic of said first scanning rule, emitting an alert signal indicating that said electronic device is vulnerable to said malicious activity according to said indication, said alert signal causing restricting use of said local device until said local device has its vulnerable status removed.

17. (cancelled)

18. (cancelled)

19. (Currently Amended) A scanning device operable to assess a vulnerability of an electronic device in a system of electronic devices, the scanning device comprising: 

a memory; and

an integrated circuit, coupled to the memory, configured to perform:

determining a distinguishing characteristic of at least one version of a computer program in a format as installed in usable form on at least one local electronic device to distinguish said at least one version of said computer program in said format from at least one further version of said computer program in said format;

at least one of generating at a remote device and receiving at said local device at least one indication of a defect giving rise to vulnerability to malicious activity in a portion of at least one of code and data;

determining that said portion is used by said at least one version;

maintaining a mapping between said at least one version of said computer program and said at least one indication;

creating a first scanning rule comprising said distinguishing characteristic and said indication;

creating a second scanning rule according to a level of trust for a scanner, said level of trust including one of an access control level in an access control hierarchy, a memory privilege key, and an administrator permission level above a user permission level;

storing said first and said second scanning rule in at least one of said local device and a remote device;

scanning according to said stored first scanning rule only portions of storage on said local device that are available according to said second scanning rule to detect instances of said distinguishing characteristic in at least one usable computer program in at least one of an installed state and a to-be-installed state thereon, the act of scanning being performed by at least one of said local device and said remote device; and

responsive to a determination that said electronic device has an installed instance of said at least one version of said computer program according to said distinguishing characteristic of said first scanning rule, emitting an alert signal indicating that said electronic device is vulnerable to said malicious activity according to said indication, said alert signal causing restricting use of said local device until said local device has its vulnerable status removed.

20.	(cancelled) 

REASONS FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance:
 	Per interview, Applicant agrees to an amendment for compact prosecution since there is no art singly or in combination teaches a malware scanning process such that creating a first scanning rule comprising said distinguishing characteristic and …
creating a second scanning rule according to a level of trust for a scanner, said level of trust including one of an access control level in an access control hierarchy, a memory privilege key, and an administrator permission level above a user permission level. Therefore, claims 1, 16 and 19 are allowed.
.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Inquiry communication
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994. The examiner can normally be reached Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-

/TRI M TRAN/Primary Examiner, Art Unit 2432