DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is a response to an application filed 10/23/2020 wherein claims 1 – 7 are pending and ready for examination.  

CLAIM INTERPRETATION
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 


(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitations uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: a storage unit configured to store; a detection module configured to extract; a processing module configured to change; and a UI module configured to implement, in claim 6 are not properly described in the application as filed.

Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):



The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim  6 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

Claim 6 cites storage unit configured to store; a detection module configured to extract; a processing module configured to change; and a UI module configured to implement, which invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed storage unit configured to store; detection module configured to extract; processing module configured to change; and a UI module configured to implement” functions and to clearly link the structure, material, or acts to the function. The disclosure fails to describe any structure for performing the said “storage” function nor does the disclosure provide sufficient details regarding the structure for performing the storing.  The disclosure fails to describe any structure for performing the said  “extraction” function nor does the disclosure does not provide sufficient details regarding the structure for performing the extracting.  The disclosure fails to describe any structure for performing the said “changing” function nor does the disclosure does provide sufficient details regarding the structure for performing the changing. The disclosure fails to describe any structure for performing the said “implementation” function nor does the disclosure does not provide sufficient details regarding the structure for performing the implementation. Therefore, claim 6 is indefinite and is rejected under 35 U.S.C. 112(b) or pre-


Information Disclosure Statement
The information disclosure statements (IDS) submitted on 10/23/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.


Claims 1-7 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Waghorn; William David, US 20190081963 A1, July, 11, 2018, hereafter referred to as Waghorn, in view of Touboul; Shlomo, US 20150288720 A1, October 10, 2015, hereafter referred to as Touboul.

              As to claim 1, Waghorn teaches a method of checking malware infection of a macro included in a document file - Waghorn [0096] The method 400 may be used as part of a root cause analysis, e.g., for determining a root cause of malware on an endpoint, the method comprising: a first checking step of checking - Waghorn [0097] As shown in step 402, the method 400 may include monitoring events on a device, such as a first endpoint. The events may be any as described herein, e.g., events associated with computing objects on the endpoint. The computing objects may, for example include a data file.  Here, the claimed ‘first checking step’ is taught by Waghorn as ‘step 402’ because Figure 4 method begins with a monitoring step whereas monitoring checks inputs at the endpoint), by a macro detection module operating in conjunction with an operating system (OS) of a computer OS – Waghorn [0067] The memory 214 may, in general, include a non-volatile computer readable medium containing computer code that, when executed by the computing device 210 creates an execution environment for a computer program in question, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system).  Here, the claimed ‘macro detection module’ is taught by Waghorn as ‘code that constitutes processor firmware’ such as event handler 760 of Figure 7), a document file input to an input processor – Waghorn [0097] As shown in step 402, the method 400 may include monitoring events on a device, such as a first endpoint. The events may be any as described herein, e.g., events associated with computing objects on the endpoint. The computing objects may, for example include a data file.  Here, the claimed ‘input processor’ is taught by Waghorn as ‘endpoint’); an extraction step of searching for and extracting, by the macro detection module, a macro function included in the document file based on malware information stored in a code information storage unit – Waghorn [0032] The threat management facility 100 may also provide for the removal of applications that potentially interfere with the operation of the threat management facility 100, such as competitor products that may also be attempting similar threat management functions. The removal of such products may be initiated automatically whenever such products are detected. In the case where such applications are services are provided indirectly through a third-party product, the application may be suspended until action is taken to remove or disable the third-party product's protection facility.  Here, the claimed ‘macro function’ is taught by Waghorn as ‘third party product’ since the third party is an macro as described in Waghorn [0083]. The claimed ‘information storage unit’ is taught by Waghorn as ); a detection step of detecting, by the macro detection module, malware of the extracted macro function -Waghorn [0114] As shown in step 410, the method 400 may include generating an event graph. The event graph may be generated in response to detecting the security event, e.g., using the data log from the data recorder).  Here, the claimed ‘detection step’ is taught by Waghorn as ‘generate event graph’ and the claimed ‘malware’ is taught by Waghorn as ‘security event’ threat management facility 100’ since the facility has prerecorded data. WAGHORN DOES NOT TEACH and a function setting step of changing, by a security processing module, the macro function, from which the malware has been detected, into a custom function, HOWEVER IN AN ANALAGOUS ART DIRECTED TO THE SAME FIELD OF ENDEAVOR TOUBOUL TEACHES and a function setting step of changing, by a security processing module, the macro function, from which the malware has been detected, into a custom function – Touboul [0099] Resource access diverter 804 further modifies those Downloadable-API IAT entries that correspond with protection policies 342, thereby causing corresponding Downloadable accesses via Downloadable-API IAT 731 to be diverted resource access analyzer 805.  Here, the claimed ‘function setting step’ is taught by Touboul as ‘Resource access diverter 804’ because the diverter is a function that alters the API whereas the claimed ‘macro function’ is taught by Touboul as ‘IAT entries’.  The claimed ‘changing…function’ is taught by Touboul as ‘modifies’ since the macro function was the Downloadable-API IAT entries but now are changed or customized to Downloadable-API IAT 731 function.  This modification permits a third checking step by analyzer 805. To provide the event handler of Waghorn would have been obvious to one of ordinary skill in the art, in view of the teachings of Touboul, since all the claimed elements were known in the prior art and one skilled in the art could have combined the elements as claimed by known methods (i.e. customizing macros to remove security threats) with no change in their respective functions, and the combination would have yielded nothing  customization macro used in Touboul would allow the request handler of Waghorn the ability to render potential security threats such as malware harmless using the customization macro function of Touboul).

          As to claim 2, the combination of Waghorn and Touboul teaches the method of claim 1, further comprising:
          a second checking step of, after the document file has been executed by a word processor, interrupting, by the security processing module, an execution event for a macro – Waghorn [0122] when traversing the event graph in a reverse order from the security event, if the analysis identifies an electronic mail application that opened an attachment, this may be identified as the root cause because this is often a source of compromised security on an endpoint. .  Here, the claimed ‘a second checking step’ is taught by Waghorn as ‘traversing the event graph’ because the macro in the request handler provides for the first checking step.  The claimed ‘word processor’ is taught by Waghorn as ‘electronic mail application’), and checking, by the security processing module, a policy for the corresponding macro function - Waghorn [0122]  In one aspect, multiple candidate root causes may be identified using the cause identification rules, and a final selection may be based on other contextual information such as reputation, source, etc.  Here, the claimed policy is taught by Waghorn as ‘reputation’ because the selection criteria or policy includes the object’s reputation); and
         a macro function blocking step of, when as a result of the policy checking, the macro function is an execution blocking target, stopping, by the security processing module, execution of the macro function - Waghorn [0166] … The security product 732 may use techniques such as signature-based and behavioral-based malware detection including without limitation one or more of host intrusion prevention, malicious traffic detection, URL blocking, file-based detection, and so forth, as well as any input from the event handler 760), and
          presenting, by the security processing module, a notification via a UI module - Waghorn [0092] The event graph may also or instead be displayed to a user of the system 300 or endpoint 310, e.g., using an interactive user interface or the like).

             As to claim 3, the combination of Waghorn and Touboul teaches the method of claim 1, wherein: The policy for the macro function is graded according to a risk level of the malware and the detection step includes setting, by the macro detection module, the risk level for the malware - Waghorn [0145] The reputation of computing objects may include a score (or other label, indication, weighting, and the like) of one or more of its prevalence, its provenance, and its pedigree., or the second checking step includes setting, by the security processing module, the risk level for the malware - Waghorn [0152] …  This may also or instead include changing a level of filtering at one of the set of logical locations according to the security state of the endpoint.  Here, the claimed ‘graded’ is taught by Waghorn as ‘score’ whereas the claimed ‘risk level’ is taught by Waghorn as ‘reputation’ because the macro function in the request handler will evaluate the security state consulting the reputation).
                As to claim 4, the combination of Waghorn and Touboul teaches the method of claim 2, wherein the second checking step includes, when the macro function has a designated level, outputting, by the security processing module, a query window via the UI module – Waghorn [0144] Where exposure of computing objects is explicitly tracked, selecting a set of logical locations may include selecting a group from the plurality of logical locations based on exposure to an external environment, e.g., where the exposure implies a greater degree of security risk), collecting, by the security processing module, a selection value of an operator, and allowing, by the security processing module, the blocking step or execution of the macro function to follow depending on the selection value – Waghorn [0144] … where a known and good reputation process is being used, the selection may include excluding one of the plurality of logical locations associated with the known, good process).


               As to claim 5, the combination of Waghorn and Touboul teaches the method of claim 1, further comprising, before the second checking step, interrupting, by the security processing module, an execution event for the macro after execution of the document file – Waghorn [0144] the method 400 may include generating an event graph. The event graph may be generated in response to detecting the security event, e.g., using the data log from the data recorder. The event graph may be generated at the same time as or as part of creating the data log), checking, by the security processing module, whether the corresponding macro function has been changed into a custom function, and allowing, by the security processing module, the execution of the corresponding macro function to continue when, as a result of the checking, it is determined that the corresponding macro function has not been changed into a custom function. WAGHORN DOES NOT TEACH checking, by the security processing module, whether the corresponding macro function has been changed into a custom function, and allowing, by the security processing module, the execution of the corresponding macro function to continue when, as a result of the checking, it is determined that the corresponding macro function has not been changed into a custom function, HOWEVER IN AN ANALAGOUS ART DIRECTED TO THE SAME FIELD OF ENDEAVOR TOUBOUL TEACHES and a function setting step of changing, by a security processing module, the macro function, from which the malware has been detected, into a custom function – Touboul [0099] Resource access diverter 804 further modifies those Downloadable-API IAT entries that correspond with protection policies 342, thereby causing corresponding Downloadable accesses via Downloadable-API IAT 731 to be diverted resource access analyzer 805.  Here, the claimed ‘function setting step’ is taught by Touboul as ‘Resource access diverter 804’ because the diverter is a function that alters the API whereas the claimed ‘macro function’ is taught by Touboul as ‘IAT entries’.  The claimed ‘changing…function’ is taught by Touboul as ‘modifies’ since the macro function was the Downloadable-API IAT entries but now are changed or customized to Downloadable-API IAT 731 function.  This modification permits a third checking step by analyzer 805); and allowing, by the security processing module, the execution of the corresponding macro function to continue when, as a result of the checking, it is determined that the corresponding macro function has not been changed into a custom function – Touboul [0099] Resource access diverter 804 further modifies those Downloadable-API IAT entries that correspond with protection policies 342.  Here, the claimed ‘has not been changed’ is taught by Touboul as ‘that correspond’ because the downloadable tables that do not correspond with the policies 342 do not correspond and therefore are not modified.  The rationale for incorporating the features of Touboul with the invention of Waghorn in claim 1 apply here in claim 5).

             As to claim 6, claim 6 is a system that is directed to the method of claim 1.  Therefore claim 6 is rejected for the reasons as set forth in claim 1.   

            As to claim 7, the combination of Waghorn and Touboul teaches the system of claim 6, wherein: the code information storage unit stores macro function policies - Waghorn [0036] A definition management facility 114 may provide timely updates of definition files information to the network, client facilities, and the like. New and altered malicious code and malicious applications may be continually created and distributed to networks worldwide);
the security processing module searches the macro function policies and the malware information in the code information storage unit - Waghorn [0028] The updates may include a planned update, an update in reaction to a threat notice, an update in reaction to a request for an update, an update based on a search of known malicious code information, or the like), and determines whether or not to block a corresponding macro function based on results of the searching - Waghorn [0029] The threat management facility 100 may provide a policy management facility 112 that may be able to block non-malicious applications, such as VoIP, instant messaging, peer-to-peer file-sharing, and the like, that may undermine productivity and network performance within the enterprise facility 102); and
the UI module implements a notification presentation function performed in a processing process of the security processing module - Waghorn [0092 and 0154] since at ’92 The event graph may also or instead be displayed to a user of the system 300 or endpoint 310, e.g., using an interactive user interface or the like since at ‘154. … Numerous remediation techniques are known in the art and may be usefully employed to remediate an endpoint, This may include notifying an administrator or user).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 7:00 a.m. to 3:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative 
 /WILLIAM B JONES/Examiner, Art Unit 249103/12/2022


/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491