DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d).  Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function.  Such claim limitation(s) is/are: “hardware processor is configured to parse/select/check” in claim 1.
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 3, 10, and 17 contains the trademark/trade name “Microsoft™” and “Office™”.  Where a trademark or trade name is used in a claim as a limitation to identify or describe a particular material or product, the claim does not comply with the requirements of 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph.  See Ex parte Simpson, 218 USPQ 1020 (Bd. App. 1982).  The claim scope is uncertain since the trademark or trade name cannot be used properly to identify any particular material or product.  A trademark or trade name is used to identify a source of goods, and not the goods themselves.  Thus, a trademark or trade name does not identify or describe the goods associated with the trademark or trade name.  In the present case, the trademark/trade name is used to identify/describe a product and, accordingly, the identification/description is indefinite.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Soeder et al, U.S. Patent 10,394,686.

As per claim 1, it is taught of a system for analyzing a structured file for malicious content, comprising:
a memory (col. 2, lines 15-22); and
at least one hardware processor that is coupled to the memory (col. 2, lines 15-22) and configured to:
parse the structured file into a plurality of portions (additional code and data)(col. 4, lines 19-21 and col. 6, lines 46-52);
select a selected portion of the plurality of portions (col. 6, lines 46-52);
check the selected portion to determine if at least one pre-condition is met (training process checks values used for comparison of captured samples to determine if they are malicious/benign, col. 6, lines 18-33); and
in response to determining that the at least one pre-condition is met (reading and parsing of code and data is performed in loops to go through iterations of the code contained within the structured file to ensure that all of the code has been discovered, col. 4, lines 19-21, 36-45, and 60-67):
decode (disassembling) the selected portion to form a decoded portion (col. 4, lines 47-55 and col. 6, lines 46-52); and
check the decoded portion to determine if it is malicious (col. 2, lines 37-40 and col. 6, lines 22-28).
As per claims 2, 9, and 16, it is disclosed wherein the at least one pre-condition can be changed (dynamic analysis is preformed due to changing of state information, col. 3, lines 22-31).
As per claims 3, 10, and 17, it is taught wherein the structured file is a MICROSOFT OFFICE XML file (structure files are defined as any portable executable format files that are used by Windows™ operating system, col. 1, lines 24-30).
As per claims 4, 11, and 18, it is disclosed wherein the selected portion is a file (col. 6, lines 46-52).
As per claims 5, 12, and 19, it is taught wherein the at least one pre-condition checks at least one attribute (metadata) of the selected portion (col. 3, lines 47-50).
As per claims 6, and 13, it is disclosed wherein decoding the selected portion comprises decompressing the selected portion (extraction of features for the portion of the structured file, col. 6, lines 46-52).
As per claims 7, 14, and 20, it is taught wherein checking the decoded portion to determine if it is malicious comprises checking whether a previously decoded portion of the structure file meets at least one condition (comparison of captured samples to determine if they are malicious/benign, col. 2, lines 37-40 and col. 6, lines 18-33). 
As per claim 8, it is disclosed of a method for analyzing a structured file for malicious content, comprising:
parsing the structured file into a plurality of portions (additional code and data)(col. 4, lines 19-21 and col. 6, lines 46-52);
selecting a selected portion of the plurality of portions (col. 6, lines 46-52);
checking the selected portion to determine if at least one pre-condition is met (training process checks values used for comparison of captured samples to determine if they are malicious/benign, col. 6, lines 18-33); and {00301087-}111303010.235-US1
in response to determining that the at least one pre-condition is met (reading and parsing of code and data is performed in loops to go through iterations of the code contained within the structured file to ensure that all of the code has been discovered, col. 4, lines 19-21, 36-45, and 60-67):
decoding (disassembling) the selected portion to form a decoded portion (col. 4, lines 47-55 and col. 6, lines 46-52); and
checking the decoded portion to determine if it is malicious (col. 2, lines 37-40 and col. 6, lines 22-28).
As per claim 15, it is disclosed of a non-transitory computer-readable medium containing computer executable instructions that, when executed by a processor (col. 2, lines 15-22), cause the processor to perform a method for analyzing a structured file for malicious content, the method comprising:
parsing the structured file into a plurality of portions (additional code and data)(col. 4, lines 19-21 and col. 6, lines 46-52);
selecting a selected portion of the plurality of portions (col. 6, lines 46-52);
checking the selected portion to determine if at least one pre-condition is met (training process checks values used for comparison of captured samples to determine if they are malicious/benign, col. 6, lines 18-33); and
in response to determining that the at least one pre-condition is met (reading and parsing of code and data is performed in loops to go through iterations of the code contained within the structured file to ensure that all of the code has been discovered, col. 4, lines 19-21, 36-45, and 60-67):
decoding (disassembling) the selected portion to form a decoded portion (col. 4, lines 47-55 and col. 6, lines 46-52); and
checking the decoded portion to determine if it is malicious (col. 2, lines 37-40 and col. 6, lines 22-28).  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Staniford et al, US 2011/0247072 is relied upon for disclosing of examining portions of a portable document format for malicious content, see paragraph 0012.
Stocks et al, US 2021/0397703 is relied upon for disclosing of analyzing a spreadsheet for suspicious information, see paragraph 0060.
Albero et al, US 2021/0406372 is relied upon for disclosing of detecting suspicious information in a spreadsheet file, see paragraph 0046.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431