DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 06/29/2022 has been entered. 
Response to Amendment
This action is in response to the communications and remarks filed on 06/29/2022. Claims 19-25 was previously canceled. Claims 1-18 have been examined and are pending.
Response to Arguments
Applicant's amendments and arguments see pages 8-11 of remarks have been fully considered and are persuasive. In response to Applicant’s arguments regarding the claims 1-18 after a complete search of the entire relevant prior art the examiner has determined the claims are in condition for allowance. The previous 103 rejections of claims 1-18 have been withdrawn.
Examiner’s Comments
The claims are now in condition for allowance.
Allowable Subject Matter
Applicant's arguments have been considered and are determined to be persuasive. Accordingly, the previously presented rejections are withdrawn.
Claims 1-18 are allowed.
The following is an examiner's statement of reasons for allowance:
The closest prior art, as previously recited, Maikowski DE20201008488U1, Dotan 20100058472A1, Singh  20170223046 A1, Gordon 10,051,103 B1, Rhoads 20130295894 A1, and Putnam et al 10915992 B1  are also generally directed to an apparatus for detecting a malicious macro, the apparatus comprising; At least one non-transitory computer readable medium comprising instructions that, when executed, cause at least one processor to at least; and a method for detecting a malicious macro, the method comprising:
a database;  [Maikowski, ¶0072]
at least one memory; [Maikowski, ¶0072]
instructions;  [Maikowski, ¶0026]
processor circuitry to execute the instructions to:  [Maikowski, ¶0201 and 0204]
detect execution of a macro-executing process; [Dotan, ¶0005: Macros are programs written in high-level languages; ¶0112: client server scans for running one or more detected programs/macros]
in response to detection of the macro-execution process, capture a cropped portion of a screen buffer as an image, the image including a displayed user interface; [Singh, ¶¶0378 and 0383: Fig. 18 illustrates examples of data 180 collected over course of an incident from processes and monitoring tools analyzing suspect network traffic in a emulated network 1816. File activity 1826 can include components such as macros and scripts extracted from files; captured by processes executing the static analysis that produce output of virus scanners, de-compilers, emulators, and so on. Gordon, Col 20, lines 26-35: triggered one or more actions include editing a photo (e.g. crop); Col 20, lines 41-45: in response to a trigger from a response by a user; Putnam, Col 16, lines 4-11: imaging assembly 33 can continue to capture images of a specimen until determined image matches focus, exposure, etc. other parameters of reference images]; analyze the image to determine an image similarity to a stored image in the database, the database to store interfaces; [Rhoads, ¶¶0087-0088 and 0127-0128: a universal pixel segmenter process of image sensor uses pattern and template matching of downloaded applications through SIFT object recognition image data/ image 43 captured by users' cell phone device user interface, can be analyzed to determine matches with harvested image data/ image 43 and their metadata. ¶0285: provides automatic recognition of objects depicted in images. ¶¶0032 and 00349-0350: image data submitted by user identifies matches from any image data stored in database to perform search. a system responds to images captured or wirelessly received from cell phones/related portable device 110, which can be buffered for analysis of metadata, textual metadata and/or patterns inferred from displayed images of its user interface.]; perform a responsive action in response to the image similarity meeting or exceeding a similarity threshold.  [Li, ¶0048 a reference image similarity score is greater than a reference image similarity threshold].
However, none of Maikowski, Dotan, Singh, Gordon, Rhoads, and Putnam teach or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims, claims 1, 7, and 13.  For example, none of the cited prior art teaches or suggest in response to detection of the macro-execution process, capture a cropped portion of a screen buffer as an image, the image including  a displayed user interface of the macro-executing process; analyze the image to determine an image similarity to a stored image in the database, the database to store malicious macro interfaces, in view of other limitations of claims 1, 7, and 13.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
The closest prior art made of record are:
Neel (10579796 B1) teaches systems and methods of executing scanning software, such an executable software program or script (e.g., PowerShell script), by a computing device of an enterprise, such as a security server, may instruct the computing device to search all or a subset of computing devices in an enterprise network. The scanning software may identify PowerShell scripts containing particular malware attributes, according to a malicious-code dataset. The computing system executing the scanning software may scan through the identified PowerShell scripts to identify particular strings, values, or code-portions, and take a remedial action according to the scanning software programming.  (Col 5, lines 40-45).
Dotan (20100058472 A1) teaches a method that protects computer data from untrusted programs. Each computer's object and process is assigned with trust attributes, which define the way it can interact with other objects within the system. When an object is classified as untrusted, it can interact with other object within the system on a limited basis. A virtualized system is provided on the computer so that when the untrusted object attempts to perform an operation that is outside its scope of authorization, the virtualized system intercepts the operation but present the untrusted program with an indication that the requested operation has been performed. The method further includes processes to securely move a program from an untrusted group to a trusted group. (¶¶0005, 0052, 0063, 0070 and 0112).
Kjar (11184379 B1) teaches systems, methods, and products comprising an analytic server, which automatically detects malicious electronic files. The analytic server receives electronic files, runs a file extraction module to recursively scan the electronic files, and extracts all of the embedded and linked electronic files. The analytic server runs an exploit scanner against the extracted electronic files, and extracts code included in the electronic files. The analytic server deobfuscates the extracted code and examines the deobfuscated code by applying a set of malicious behavior rules against the deobfuscated rules. The analytic server identifies potentially malicious electronic files based on the examination. The analytic server applies a set of whitelist rules on the potentially malicious electronic files to eliminate false alarms. The analytic server transmits alert notifications to an analyst regarding the malicious electronic files and updates the whitelist rules based on analyst's feedback. (Col 7, lines 59-64; Col 14, lines 1-4 and 8-60).
Gordon (10,051,103 B1) teaches system, method, and computer program product are provided to: receive, utilizing the touchscreen, an indication of a second touch input for trace path-based selection of a first photo of a second set of multiple of the plurality of photos in the grid; in response to the receipt of the indication of the second touch input for trace path-based selection of the first photo of the second set of multiple of the plurality of photos in the grid, cause selection of the first photo of the second set of multiple of the plurality of photos in the grid, change at least one visual aspect of the first photo of the second set of multiple of the plurality of photos in the grid, add a check mark icon to the first photo of the second set of multiple of the plurality of photos in the grid; receive, utilizing the touchscreen, an indication of a continuation of the second touch input for trace path-based selection of a second photo of the second set of multiple of the plurality of photos in the grid; and in response to the receipt of the indication of the continuation of the second touch input for trace path-based selection of the second photo of the second set of multiple of the plurality of photos in the grid, cause selection of the second photo of the second set of multiple of the plurality of photos in the grid, change at least one visual aspect of the second photo of the second set of multiple of the plurality of photos in the grid, and add a check mark icon to the second photo of the second set of multiple of the plurality of photos in the grid. (¶¶0361 and 0338).
Lee (20210342979 A1) teaches an inspection apparatus includes a specimen stage configured to retain a specimen, at least three imaging devices arranged in a triangular array positioned above the specimen stage, each of the at least three imaging devices configured to capture an image of the specimen, one or more sets of lights positioned between the specimen stage and the at least three imaging devices, and a control system in communication with the at least three imaging devices. (¶¶0005 and 0172).
Rattner (20220138972 A1) teaches a method for aligning a removably attachable skin analysis device to a mobile device is disclosed. The method is particularly applicable to skin analysis devices comprising a housing that defines a housing aperture, the housing aperture comprising a housing aperture center and wherein the housing aperture is centered on a camera of the mobile device when the skin analysis device is in an aligned position, and the method includes capturing, with the camera, a current position image, wherein the current position image comprises at least a portion of the housing aperture, processing the current position image to determine if the current position is the aligned position and communicating a message from the processing. (¶¶0028 0138, 0142-0145 and 0168).
Van Hoeckel (20170118394 A1) teaches method and device for autofocusing a macro object by an imaging device is provided. The imaging device includes a lens. In one aspect, the method includes: providing two or more focus perimeters in a viewfinder; obtaining a group of focus values, the group of focus values including at least one focus value associated with each of the two or more focus perimeters, each focus value in the group of focus values including a magnitude and a direction for causing movement of the lens; comparing focus values in the group of focus values to identify a macro object focus value; and in response to identifying the macro object focus value, determining autofocus settings based on the macro object focus value. (¶¶0044 and 0108).
Singh (20170223046 A1) teaches systems, methods, and computer-program products for a targeted threat intelligence engine, implemented in a network device. The network device may receive incident data, which may include information derived starting at detection of an attack on the network until detection of an event. The network device may include analytic engines that run in a predetermined order. An analytic engine can analyze incident data of a certain data type, and can produce a result indicating whether a piece of data is associated with the attack. The network device may produce a report of the attack, which may include correlating the results from the analytic engines. The report may provide information about a sequence of events that occurred in the course of the attack. The network device may use the record of the attack to generate indicators, which may describe the attack, and may facilitate configuring security for a network. (¶¶0378 and 0383).
Pogorelik (20170091467 A1) teaches a computing apparatus, including: a trusted execution environment (TEE); and one or more logic elements providing a collaboration engine within the TEE, operable to: receive a change to a secured document via a trusted channel; apply a change to the secured document; log the change to a ledger; and display the document to a client device via a protected audio-video path (PAVP). There is also disclosed a method of providing a collaboration engine, and a computer-readable medium having stored thereon executable instructions for providing a collaboration engine. (¶0011 and 0033).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682.  The examiner can normally be reached on Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Sakinah White Taylor/Primary Examiner, Art Unit 2497