DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is a response to an application filed 08/22/2022 wherein claim 1 is
pending and ready for examination.  

Response to Arguments
Applicant’s arguments, see Remarks, filed 08/22/2022, with respect to the rejection(s) of claims 1-7 under 35 USC §103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made over Wang in view of Harm.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claim 1 is rejected under 35 U.S.C. 103 as being unpatentable over Wang; Yunfeng et al, US 20160156645 A1 June 02, 2016 hereafter referred to as Wang in view of Harm; Michael W et al, US 20110041140 A1 February 17, 2011 hereafter referred to as Harm.

              As to claim 1, Wang teaches a method of checking malware infection of a macro included in a document file – Wang [0055] FIG. 2 is a flow chart illustrating another method for detecting macro viruses the method comprising:
              a first checking step of checking, by a macro detection module, which is a constituent algorithm of software installed on a computer and operating in conjunction with an operating system (OS) of the computer, an input event of a word processor-dedicated document file through an input processor of the OS, and also checking, by the macro detection module, the document file that is a target of the input event – Wang [0060 and 0061] since at ’60 In step 101, if a data file processing program has already performed an opening operation on a target data file but has not yet performed a loading operation on a content of the target data file, a macro virus detecting module pre-registered as a plug-in of the data file processing program is called since at ’61 ... the data file processing program may be Microsoft Office 2007 (the office software developed by the Microsoft Corporation, and the version of which is 2007), and the target data file may be xxx.docx. The macro virus detecting module A is pre-registered as the plug-in of Microsoft Office 2007.  Here, the claimed ‘checking step’ is taught by Wang as ‘step 101’ whereas the claimed ‘macro detection module’ is taught by Wang as ‘a macro virus detecting module’.  The claimed ‘constituent algorithm’ is taught by Wang as ‘pre-registered...plugin’ whereas the claimed ‘operating system’ is taught by Wang as ‘Microsoft’.  The claimed ‘target of the input event’ is taught by Wang as ‘the target data file’);

an extraction step of checking, by the macro detection module, whether a macro has been constructed by analyzing a format, extension, and header structure of the document file, – Wang [0112] ... Therefore, the macro virus detecting module may identify the format of all data files and may perform an internal analysis of the data files, thus improving the coverage of the detected data files. Here, the claimed ‘format, extension, and header structure’ is taught by Wang as ‘format’ since Wang says all data files are identified which would include any header structures or file extensions since all is inclusive.  The claimed ‘analyzing’ is taught by Wang as ‘internal analysis’) and extracting, by the macro detection module, a macro function by decoding a code of a macro encoded in a specified base notation - Wang [0078] According to the VBE object model, the VBE object of the target data file xxx.docx is obtained first, and then CodeModule is obtained according to the VBE object, in which CodeModule represents the macro module. If CodeModule is not obtained, it indicates that there is no macro module in xxx.docx, and if CodeModule is obtained, it indicates that there is the macro module in xxx.docx. Here, the claimed ‘extracting’ is taught by Wang as ‘xxx.docx is obtained’ whereas the claimed ‘a macro function’ is taught by Wang as ‘VBE object’ since the visual basic executable is one such object in the xxx.docx document.  The claimed ‘decoding a code’ is taught by Wang as ‘CodeModule’ which identifies and decodes macros) and then converting the decoded code into a function form when it is determined that the macro has been constructed– Wang [093] ... an execution process and an execution result of the feature matched macro module (the macro module satisfying the predetermined virus feature matching condition or the predetermined micro feature matching condition) is analyzed. In step S104, it is detected whether there is an analysis result in a system. In step S105, if there is the analysis result in the system, a reverse repair for the system is performed according to the execution process and the execution result of the feature matched macro module.  Here, the claimed ‘converting’ is taught by Wang as ‘reverse repair’ since the reverse deconstructs the macro into the function form. The claimed ‘function form’ is taught by Wang as ‘execution result’ which outputs the result satisfying feature match);
a detection step of comparing, by the macro detection module, a function form of code information of the extracted macro function with a function form of code information of a macro function infected with a malicious code by the macro detection module that the macro function has been infected with a malicious code when the function forms match each other -Wang [0089] ... In embodiments of the present disclosure, two kinds of warning messages are defined, in which the warning message of “deterministic macro viruses” refers to that, on the basis of the existing antivirus technology, the detected macro module is determined as actually including currently known macro viruses.   Here, the claimed ‘function infected with malicious code’ whereas the claimed ‘comparing’ is taught by Wang as ‘is determined’ since Wang compares known viruses to those in the macro detecting.  The claimed ‘match each other’ is taught by Wang as ‘actually including ... known viruses’ since Wang would not know they were included unless a match happened), and setting, by the macro detection module, a risk level of the macro function according to a risk level of the malicious code with which the macro function has been infected - Harm [0056 and 0129] since at ‘56 ... one or more security levels may be set on each macro, allowing access to other users as determined by the user who created or first saved the macro. For example, the user may set an access security level for the macro and provide the URL of the macro to another person since at ‘129 ... The message included in the dialog box may identify the macro as a potentially un-trusted macro, and further identifying what could happen if the macro is run. The dialog box can, in some implementations, identify a list of potentially harmful acts that are specific to that macro, the list being based upon a scan of the macro. Scanning a macro can, for example, help to identify specific potential harmful effects, based in part on text strings in the macro or some other information corresponding to contents of past macros that have been malicious.  Here, the ‘setting’ is taught by Harm as ‘may be set’.  The claimed ‘risk level’ is taught by Harm as ‘security level’ whereas the claimed ‘macro function has been infected’ is taught by Harm as ‘contents .... have been malicious’);
a function setting step of changing, by a security processing module, which is a constituent algorithm of the software, the macro function into a custom function to restrict execution of the macro function infected with the malicious code – Harm [0004] ... applications can include, for example, email and other messaging applications, productivity applications such as spreadsheets and word processors, mapping applications, and mash-ups of various applications that can be presented together in a single presentation (which can be accessed by a user and even developed by the user to provide customized output from a macro);
a second checking step of, when the document file is executed by the word processor installed on the computer, interrupting, by the security processing module, an execution event  for the macro, checking, by the security processing module, whether a custom function is present in the document file, and resuming the execution event of the document file without any subsequent procedure when it is determined that the custom function is not present and checking a security policy according to the risk level set for the corresponding macro function when it is determined that the custom function is present – Harm [0075] Macro execution and resumption functions may be used to start and resume macros. For example, the macro execution function may start the initial execution of the macro. In some cases, execution of the macro may require additional input from the user. In this case, execution of the macro may suspend, or enter a wait state, pending input from the user. Once the user input has been provided, the resume macro function may continue the execution of a macro that had been halted.  Here, the claimed ‘), and
             a macro function blocking step of stopping, by the security processing module, execution of the macro function, when, as a result of the policy checking, the risk level of the macro function infected with the malicious code corresponds to an execution blocking target - Harm [0149] ... A continuation may be used to, in effect, pause a script until a particular time or event has occurred. If no continuation is encountered, processing resumes at step 424, where a determination is made whether an error has been encountered. If no error is encountered, execution of the macro ends successfully at step 430. If an error is encountered at step 424, the user is alerted at step 426 before the macro's execution ends at step 430)., outputting, by the security processing module, a query window regarding whether to block and also collecting, by the security processing module - Harm [0099] A RUN_MACRO request may take a macro name, library id, and serialized representation of the state of the document (e.g., current selection, etc), and invoke the script executor 208 to execute the given macro. If an error occurs, an error message is thrown back to macrocontroller.js for display to the user. If the user has to authorize the macro, a message may be sent back to the macrocontroller.js to prompt the user.  Here, the claimed ‘security processing module’ is taught by Harm as ‘macrocontroller.js’ whereas the claimed ‘a query window’ is taught by Harm as ‘display to the user’ since the module asks the user for authorization via a prompt), a selected value from an operator when the risk level of the macro function infected with the malicious code corresponds to a target set for a specific risk level – Wang [0065] ... it may be detected whether the target data file includes a macro module, and if the target data file includes the macro module, the macro virus detecting module pre-registered as the plug-in of the data file processing program is called, and the macro module included in the target data file is detected by the macro virus detecting module.  Here, the claimed ‘selected value ...operator’ is taught by Wang as ‘a program is called’ which requires a command to be selected by the user of the application.  The claimed ‘target set’ is taught by Wang as ‘target data file’ whereas the claimed ‘risk’ is taught by Wang as ‘virus’), and stopping, by the security processing module, execution of the macro function, when the selected value corresponds to blocking of execution - Harm [0106] A corresponding "unlisten" method may be used to cancel a request to receive notifications about events. The call for invoking the unlisten method may take a form such as: unlisten(userName, eventFilter, target);Calling the unlisten method may be the equivalent of canceling or stopping a "listener." Again, the parameters for this command mirror the parameters that would have been used to initiate listening for the event in the first place.  Here, the claimed ‘stopping’ is taught by Harm as ‘stopping a listener’ which cancels the event notification macro function.  The claimed ‘corresponds to blocking’ is taught by Harm as ‘equalivent of canceling’ whereas the claimed ‘selected value’ is taught by Harm as ‘the parameters’), and resuming execution of the macro function when the selected value corresponds to execution - Harm [0150] Continuations may serve as a "snapshot" of the execution state of the script interpreter, freezing execution so that execution may be resumed later. This is conceptually similar to how a breakpoint operates in a debugger, or an "alert" call in standard browser-side execution (e.g., JavaScript.  Here, the claimed ‘resuming’ is taught by Harm as ‘may be resumed’ which also teaches the suspending or stopping because to resume an operation requires the operation to have been previously stopped.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to score the viruses detected by Wang’s micro virus detecting module thereby enabling a quick identification and threat assessment to the viruses in Wang’s viruses database.  Wang is silent on providing a label or score but Harm provides pre-determined threats to viruses.  Providing pre-assessed threat data in Wang’s virus database improves data protection and information security).


2-7. (Canceled)
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 7:00 a.m. to 3:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
 /WILLIAM B JONES/Examiner, Art Unit 249111/22/2022


/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491