14181843 (P.T.A.B. Jun. 26, 2018)

Ex Parte Klein

Patent Trial and Appeal BoardJun 26, 2018

14181843 (P.T.A.B. Jun. 26, 2018)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. 14/181,843 127233 7590 Daniel J. Swirsky 11 Reuven Street FILING DATE 02/17/2014 06/26/2018 Beit Shemesh, 9954419 ISRAEL FIRST NAMED INVENTOR Amit Klein UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 2376-US 1062 EXAMINER TRUONG, THANHNGA B ART UNIT PAPER NUMBER 2438 MAILDATE DELIVERY MODE 06/26/2018 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte AMIT KLEIN Appeal2018-001929 Application 14/181,843 1 Technology Center 2400 Before CARLA M. KRIVAK, HUNG H. BUI, and JON M. JURGOV AN, Administrative Patent Judges. BUI, Administrative Patent Judge. DECISION ON APPEAL Appellant seeks our review under 35 U.S.C. Â§ 134(a) from the Examiner's Final Rejection of claims 1, 2, and 4--13, which are all the claims pending in the application. We have jurisdiction under 35 U.S.C. Â§ 6(b ). We REVERSE. 2 1 According to Appellant, the real party in interest is International Business Machines Corporation. App. Br. 2. 2 Our Decision refers to Appellant's Appeal Brief ("App. Br.") filed July 26, 2017; Reply Brief ("Reply Br.") filed December 18, 2017; Examiner's Answer ("Ans.") mailed October 16, 2017; Final Office Action ("Final Act.") mailed March 1, 2017; and original Specification ("Spec.") filed February 17, 2014. Appeal2018-001929 Application 14/181,843 STATEMENT OF THE CASE Appellant's invention relates to a method and system "for finding [a] potentially harmful malware dropper on an infected computer system" and "obtaining dropper samples which can be studied and analyzed ... to develop specific antidotes." Spec. 2-3. In one aspect, Appellant's invention finds a potentially harmful malware dropper by "identifying an executable file that is about to run" and "providing a storage agent that stores a copy of said executable file for a later inspection." Abstract. Claims 1, 9, and 11 are independent. Representative claim 1 illustrates Appellant's invention, as reproduced below: 1. A method for facilitating finding a potentially harmful malware dropper on a computer system, comprising the steps of: a) identifying an executable file upon execution of said executable file on a computer; b) storing, responsive to identifying said executable file upon execution of said executable file on said computer, a copy of said executable file in a database; and c) inspecting said copy of said executable file responsive to detecting malware on said computer and subsequent to said executable file deleting said executable file from said computer, wherein the identifying and storing are embodied in computer-readable instructions stored on a computer-readable medium for execution by a computer processor. App. Br. 14--16 (Claims App'x). Evidence Considered Mashevsky US 8,572,740 B2 Oct. 29, 2013 Okereke US 9,336,389 Bl May 10, 2016 Hollander US 6,823,460 Bl Nov. 23, 2004 2 Appeal2018-001929 Application 14/181,843 EXAMINER'S REJECTIONS 3 (1) Claims 1, 2, and 4--11 stand rejected under 35 U.S.C. Â§ 103 as being unpatentable over Mashevsky and Okereke. 4 Final Act. 6-9. 5 (2) Claims 12 and 13 stand rejected under 35 U.S.C. Â§ 103 as being unpatentable over Mashevsky, Okereke, and Hollander. Final Act. 9--10. ANALYSIS With respect to claim 1, the Examiner finds Mashevsky teaches identifying an executable file, such as a Trojan-Dropper, upon its execution on a computer, and testing the executable file for malware presence. Final Act. 6 (citing Mashevsky 3:39--43, 3:55-59, 4:47-5:6); Ans. 4. The Examiner further finds Okereke stores denied and approved applications in a data store, thereby teaching a file copy is stored in a database, as claimed. Ans. 3--4 (citing Okereke 4: 13-22). The Examiner also finds Okereke teaches the claimed "inspecting said copy of said executable file responsive to detecting malware on said computer and subsequent to said executable 3 Claims 1, 2, and 4--13 were rejected under 35 U.S.C. Â§ 101 as directed to non-statutory subject matter. Final Act. 3-5. However, this rejection was withdrawn in the Examiner's Answer, and is thus, not before us. (Ans. 3.) 4 The Examiner's summary of this rejection incorrectly refers to the pre- America Invents Act ("pre-AIA") Â§ 103 (a) instead of AIA Â§ 103 that is applicable to the present application (having an effective filing date of February 17, 2014). See Final Act. 6. However, we find this oversight on the Examiner's part is harmless error, as we are aware of no prejudice to Appellant resulting from this error. 5 Although claims 12 and 13 are listed in the summary of this rejection (see Final Act. 6), claims 12 and 13 are actually rejected under Mashevsky, Okereke, and Hollander (see Final Act. 9). 3 Appeal2018-001929 Application 14/181,843 file deleting said executable file from said computer" because Okereke discloses if malware is detected in the application code 242, the application 230 may be flagged and/or added to the denied applications 230 in data store 212 and one or more events 254 may be initiated. Events 254 may comprise, for example, actions predefined by an operator and/or moderator of the malware detection services 224 to be conducted in the event malware is detected. As a non- limiting example, an event 254 may comprise an automatic quarantine of the application 230. In an alternative embodiment, an event 254 may comprise an automatic deletion of the application 230. (Ans. 4 (citing Okereke 8:51---60)). We do not agree. We agree with Appellant that Mashevsky and Okereke, alone or in combination, fail to teach or suggest inspecting a copy of an executable file responsive to detecting malware on the computer and subsequent to the executable file deleting itself from the computer, as recited in claim 1. App. Br. 12; Reply Br. 3. As Appellant contends, Okereke "stor[es] copies of applications ... in a data store 212 after they have been inspected for malware" and ''prior to their [i.e., applications'] execution, whereupon the applications are checked for the presence of malware in order to determine whether they may be allowed to be executed." Reply Br. 3 (citing Okereke 4: 13-30, 4:57---60); App. Br. 12. This is in contrast to Appellant's claimed "storing a copy" of an executable file (e.g., an application) "responsive to identifying the executable file upon execution of the executable file on the computer." App. Br. 12. Okereke also does not teach "inspecting the [executable file's] copy after detecting malware on the computer and subsequent to the executable file deleting itself from the computer," as required by claim 1. Reply Br. 3 4 Appeal2018-001929 Application 14/181,843 (emphasis added). Rather, Okereke inspects an application for malware before allowing execution of the application, and Okereke commands the application's deletion or quarantine when malware is detected. App. Br. 12 (citing Okereke 8:51-60); see also Okereke 3:61, 7:6-13. In fact, Okereke does not discuss actions being performed subsequent to a file deleting itself from the computer as required by claim 1. Reply Br. 3; App. Br. 12. Mashevsky does not make up for the above-noted deficiencies of Okereke. Although Mashevsky discloses inspecting a Trojan-Dropper for malware, Mashevsky does not disclose inspecting a Trojan-Dropper's copy subsequent to the Trojan-Dropper deleting itself from the computer. The Examiner also has not shown that the additional teachings of Hollander make up for the above-noted deficiencies of Mashevsky and Okereke. Thus, for the reasons set forth above, we do not sustain the Examiner's obviousness rejection of independent claim 1, independent claims 9 and 11 reciting similar limitations, and claims 2, 4--8, 10, 12, and 13 dependent therefrom. App. Br. 13. CONCLUSION On the record before us, we conclude Appellant has demonstrated the Examiner erred in rejecting claims 1, 2, and 4--13 under 35 U.S.C. Â§ 103. DECISION As such, we REVERSE the Examiner's final rejection of claims 1, 2, and 4--13. REVERSED 5