Prosecution Insights
Last updated: July 17, 2026
Application No. 16/786,692

METHODS AND APPARATUS FOR MALWARE THREAT RESEARCH

Final Rejection §103§112
Filed
Feb 10, 2020
Priority
Feb 15, 2011 — provisional 61/443,095 +1 more
Examiner
SAVENKOV, VADIM
Art Unit
2432
Tech Center
2400 — Computer Networks
Assignee
Open Text Inc.
OA Round
8 (Final)
62%
Grant Probability
Moderate
9-10
OA Rounds
0m
Est. Remaining
82%
With Interview

Examiner Intelligence

Grants 62% of resolved cases
62%
Career Allowance Rate
193 granted / 314 resolved
+3.5% vs TC avg
Strong +21% interview lift
Without
With
+20.8%
Interview Lift
resolved cases with interview
Typical timeline
3y 4m
Avg Prosecution
30 currently pending
Career history
371
Total Applications
across all art units

Statute-Specific Performance

§101
1.6%
-38.4% vs TC avg
§103
92.0%
+52.0% vs TC avg
§102
2.6%
-37.4% vs TC avg
§112
2.3%
-37.7% vs TC avg
Black line = Tech Center average estimate • Based on career data from 314 resolved cases

Office Action

§103 §112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application is being examined under the pre-AIA first to invent provisions. Response to Amendment / Arguments Regarding claims rejected under 35 USC 103: Applicant’s arguments, in view of the amended claim language, have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Satish (US 8,239,915 B1). Claim Objections Claim 1 is objected to because of the following informalities: the “presenting, on a display… of the second group of plural objects” limitation lacks a comma / semicolon. Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-4 and 6-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Independent claim 1 recites “determining that a respective user query identifies a potential malware threat based on repeated similar queries and respective query results corresponding to returned malware objects in the database; responsive to determining that the respective user query identifies a potential malware threat, automatically creating a rule from the respective user query, wherein the rule is configured to be applied based on a determination of a creator of a received object.” This is considered to be new matter which was not described in the specification because the instant specification does not describe consideration of “potential” in “a potential malware threat.” The relevant paragraphs of the instant specification are [0032], [0033], [0147], [0150], and [0153]. These concern consideration “that the query is deterministic in identifying malware,” “returning malware objects, or if a researcher consistently takes the action of determining the objects to be malware,” “that a query (Q5) is deterministic in classifying the objects returned by a query as safe or unsafe,” and “[i]f the same query is being run repeatedly by a user and returning malware objects, or if a researcher consistently takes the action of determining the objects to be malware.” What is tracked is only a determination that an object is malware rather than “a potential malware threat.” While [0147] states that “[t]he user can then take the appropriate action, such as tagging the objects returned by the query as malware, not malware, or suspicious and requiring further investigation,” the suspicious tag is not part of the consideration for generating a rule. The dependent claims do not rectify this issue and are therefore likewise rejected. Claim Rejections - 35 USC § 103 The following is a quotation of pre-AIA 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action: (a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made. Claims 1, 4, 6-15, 17, and 19 is/are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Ahuja (US 2013/0246371 A1) in view of Morris (US 2007/0016953 A1), Rubin (US 8,862,621 B1), and Satish (US 8,239,915 B1). Regarding claim 1, Ahuja discloses: A computer program product comprising a non-transitory computer- readable medium storing thereon a set of instructions executable by a processor, the set of instructions comprising instructions for: receiving [Hash / Signature] data about a computer object from each of plural remote computers on which the computer object is located; Refer to at least [0029], [0031]-[0032], and [0044]-[0053] of Ahuja with respect to object capture and classification, the classification involving signatures storing said [Hash / Signature] data in a database; Refer to at least FIG. 5 and [0055]-[0063] of Ahuja with respect to storage of object data such as that of indexing and signature data. presenting, on a display and in response to receiving a selection of a first group of plural objects having commonality amongst an attribute, Refer to at least [0067], [0073], and [0096] of Ahuja with respect to an initial search / query focused on specific object data. information relating to a second group of plural objects including the first group of plural objects and additional objects not in the first group of plural objects, and information relating to one or more [Hashed / Tagged] attributes of the objects of the second group of plural objects from the database, the information relating to the second group of plural objects being arranged such that one or more values of the one or more [Hashed / Tagged] attributes and one or more symbols are shown, wherein the one or more symbols are assigned to the one or more values based on at least one of a uniqueness and a commonality among the one or more values of the one or more [Hashed / Tagged] attributes of the second group of plural objects, Refer to at least the abstract, [0068], [0072], [0074], [0078], and [0101] of Ahuja with respect to automatically obtaining additionally relevant object data responsive to the initial query. Refer to at least FIG. 9A-B with respect to an exemplary display, wherein additionally relevant results are presented to the user, organized according to their relevance and frequency. Refer to at least [0062]-[0063], [0086], and [0092]-[0093] of Ahuja with respect to object attributes and tagging. monitoring queries of the database run by users; Refer to at least [0102] and [0096]-[0099] of Ahuja with respect to monitoring user queries. Ahuja does not specify: that the object is from each of plural remote computers on which the computer object is located; checksum; checksummed; determining that a respective user query identifies a potential malware threat based on repeated similar queries and respective query results corresponding to returned malware objects in the database; and responsive to determining that the respective user query identifies a potential malware threat, automatically creating a rule from the respective user query, wherein the rule is configured to be applied based on a determination of a creator of a received object. However, Ahuja in view of Morris discloses: from each of plural remote computers on which the computer object is located; Refer to at least [0015] of Morris with respect to a base computer receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored. checksum; checksummed; Refer to at least [0007] and [0088] of Morris with respect to checksums: “the request for authorisation to run the file that is sent by a local computer to the central computer may comprise sending a checksum or "signature" or "key" that uniquely represents the file.” The teachings of both Ahuja and Morris concern securing data and creating security rules, and are considered to be within the same field of endeavor and combinable as such. Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja to further comprise obtaining additional data (from multiple computers and of multiple different types of objects) for at least the purpose of increasing security through increased coverage. It further would have been obvious to modify the teachings to use a checksum because the substitution of one known element for another (hashes for checksums) would have yielded predictable results to one of ordinary skill in the art at the time of the invention. Ahuja-Morris discloses observing the frequency of user query expressions (e.g., [0100]-[0101] of Ahuja) and rule authoring (e.g., [0037] of Ahuja), but does not specify: determining that a respective user query identifies a potential malware threat based on repeated similar queries and respective query results corresponding to returned malware objects in the database; and responsive to determining that the respective user query identifies a potential malware threat, automatically creating a rule from the respective user query, wherein the rule is configured to be applied based on a determination of a creator of a received object. However, Ahuja-Morris in view of Rubin discloses: determining that a respective user query identifies a potential malware threat (both Ahuja and Rubin—e.g., Col. 1, Ll. 23-26—concern identifying threats, where Ahuja concerns malware threats specifically) based on repeated similar queries and respective query results corresponding to returned malware objects in the database (see at least Col. 4, Ll. 32-44&60-62 and Col. 5, Ll. 20-24 of Rubin with respect to querying its database and respective returned data for evaluation); Refer to at least FIG. 1, Col. 2, Ll. 8-12, Col. 2, Ll. 21-22, Col. 4, Ll. 31-36, and Col. 5, Ll. 20-27 of Rubin with respect to determining whether a user query identifies threats (i.e., whether it is “useful” in identifying threats) in view of recursive query analysis. and responsive to determining that the respective user query identifies a potential malware threat, automatically creating a rule from the respective user query. Refer to at least FIG. 1 and Col. 5, Ll. 28-43 of Rubin with respect to storing a query sequence to enable automatic repetition with less user inputs, where the storing is responsive to determining that the query is useful. The teachings of Ahuja-Morris and Rubin concern guided threat analysis and remediation, and are considered to be within the same field of endeavor and combinable as such. Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja-Morris to further include cumulative representation and capture of analyst expertise (e.g., Col. 2, Ll. 21-22 of Rubin) for at least the reasons provided in Col. 1, Ll. 24-26 of Rubin (i.e., automating threat analysis to improve an analyst’s performance). Ahuja-Morris-Rubin discloses author/vendor information as part of object data (e.g., Tables 1&2 of Ahuja; [0018] and [0087] of Morris), but does not specify: wherein the rule is configured to be applied based on a determination of a creator of a received object. However, Ahuja-Morris-Rubin in view of Satish discloses: wherein the rule is configured to be applied based on a determination of a creator of a received object. Refer to at least 313 in FIG. 3 and Col. 7, Ll. 54-Col. 8, Ll. 67 of Satish with respect to generating rules based on vendor/issuer reputation. The teachings of Satish likewise concern securing data and creating security rules, and are considered to be within the same field of endeavor and combinable as such. Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja-Morris-Rubin to further include vendor reputation as part of generating the rule for at least the purpose of improving user experience (i.e., not blocking 1st party applications and updates) and increasing security through increased coverage (i.e., completely unknown vendors or vendors with a bad reputation are more likely to be associated with malware). Regarding claim 4, Ahuja-Morris-Rubin-Satish discloses: The computer program product of claim 1, wherein the set of instructions further comprises instructions for: identifying a commonality of one or more attribute values between the second group of plural objects; and refining a query in accordance with the commonality. Refer to at least the abstract, [0073]-[0078], and [0101] of Ahuja with respect to iterative search queries. Regarding claim 6, it is rejected for substantially the same reasons as claim 5 above (i.e., the citations and obviousness rationale). Regarding claim 7, it is rejected for substantially the same reasons as claim 5 above (i.e., the citations and obviousness rationale). Regarding claim 8, Ahuja-Morris-Rubin-Satish discloses: The computer program product of claim 7, wherein the set of instructions further comprises instructions for: storing a classification of the object as safe or unsafe according to the rule in the database. Refer to at least [0034]-[0037] of Ahuja with respect to rule creation and object classification. Regarding claim 9, Ahuja-Morris-Rubin-Satish discloses: The computer program product of claim 8, wherein the set of instructions further comprises instructions for: receiving an indication from a remote computer that an object classified as malware by said rule is believed not to be malware; and amending or deleting the rule in accordance with said indication. Refer to at least [0118] of Morris with respect to continually monitoring at remote computers and updating a classification based on newer data. Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja-Morris-Rubin-Satish to further continual monitoring and updating classifications for at least the purpose of reducing false positives and false negatives. Regarding claim 10, Ahuja-Morris-Rubin-Satish discloses: The computer program product of claim 1, wherein the set of instructions further comprises instructions for sending the rule to a remote computer such that the remote computer can apply the rule to an object at the remote computer. Refer to at least FIG. 3 and [0033]-[0035] of Ahuja with respect to a capture system and its capture rules; applying the rule via actions taken. This claim would have been obvious for substantially the same reasons as claim 1 above. Regarding claims 11-12, they are substantially similar to claims 8-9 above, and are therefore likewise rejected for substantially the same reasons. Regarding claim 13, Ahuja-Morris-Rubin-Satish discloses: The computer program product of claim 1, wherein the set of instructions further comprises instructions for receiving actor information pertaining to an actor object performing an act and victim information pertaining to a victim object upon which the act is being performed. Refer to at least FIG. 10A of Ahuja with respect to source and destination information for rules. Regarding claim 14, Ahuja-Morris-Rubin-Satish discloses: The computer program product of claim 1, wherein the one or more checksummed attributes correspond to an object pathname and an object filename. Refer to at least TABLE1-2 and [0061] of Ahuja. Refer to at least the abstract of Morris with respect to pathname and filename. This claim would have been obvious for substantially the same reasons as claim 1 above. Regarding claim 17, Ahuja-Morris-Rubin-Satish discloses: The computer program product of claim 1, wherein the set of instructions further comprises instructions for maintaining a count tracking a number of times that the checksum data is received. Refer to at least [0085] of Morris stating that “the community database 7 may keep a log of each instance of the process which is found by the many remote computers 2 forming part of the network and after a particular number of instances have been recorded, possibly with another particular number of instances or the process being allowed to run and running safely, the signature in the community database 7 may then be marked as safe rather than unsafe.” Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja-Morris-Rubin-Satish to further implement additional metadata (number of instances) for at least the purpose of increasing security through increased coverage. Regarding claim 19, Ahuja-Morris-Rubin-Satish discloses: The computer program product of claim 1, wherein information relating to another group of plural objects comprises a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects. Refer to at least [0080]-[0084] of Morris with respect to known safe, known malicious, and unknown objects. This claim would have been obvious for substantially the same reasons as claim 1 above. Claims 2-3, 15, and 18-19 are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Ahuja-Morris-Rubin-Satish as applied to claims 1, 4, 6-15, 17, and 19 above, and further in view of Thorman (US 2005/0131959 A1). Regarding claim 18, Ahuja-Morris-Rubin-Satish does not specify: wherein the set of instructions further comprises instructions for presenting on the display, a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects. However, Ahuja-Morris-Rubin-Satish in view of Thorman discloses: wherein the set of instructions further comprises instructions for presenting on the display, a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects. Refer to at least the abstract, [0020], [0024], and [0031] of Thorman with respect to information concerning the uniqueness and/or overlap of objects being indicated via color, icons, and/or other graphical means. The teachings of Ahuja-Morris-Rubin-Satish concern a GUI for displaying object information, and are considered to be combinable with those of Thorman concerning the same. Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja-Morris-Rubin-Satish to further include graphical representations of commonality for at least the purpose of increasing ease-of-use for an analyst as per at least [0003]-[0007] of Thorman. Regarding claim 19, it is rejected for substantially the same reasons as claim 18 above (i.e., the citations and obviousness rationale). Regarding claim 2, Ahuja-Morris-Rubin-Satish-Thorman discloses: The computer program product of claim 1, wherein the information relating to the second group of plural objects is displayed in tabular form with rows of the table corresponding to objects and columns of the table corresponding to attributes of the objects. Refer to at least FIG. 9A-B of Ahuja with respect to an exemplary GUI. Refer to at least FIG. 4-8 of Thorman with respect to an exemplary GUI. This claim would have been obvious for substantially the same reasons as claim 1 above. Regarding claim 3, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to Thorman and the obviousness rationale). Regarding claim 15, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to Thorman and the obviousness rationale). Claim 16 is rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Ahuja-Morris-Thorman-Rubin as applied to claims 1, 4, 6-15, 17, and 19 above, and further in view of Ramzan (US 2011/0040825 A1). Regarding claim 16, Ahuja-Morris-Rubin-Satish does not specify: wherein the set of instructions further comprises instructions for determining a popularity of the computer object based on the count. However, Ahuja-Morris-Rubin-Satish in view of Ramzan discloses: wherein the set of instructions further comprises instructions for determining a popularity of the computer object based on the count. Refer to at least [0050] of Ramzan, which states that “the object reputation module 306 calculates the reputation scores for objects based at least in part on the reported prevalence of the objects on the clients. Objects that are widely distributed among clients, such as a popular word processing application, are more likely to be legitimate, while objects that are rarely encountered by the clients may be malware.” The teachings of Ramzan likewise concern detecting malicious objects, and are considered to be within the same field of endeavor and combinable as such. Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja-Morris-Rubin-Satish to further implement an object reputation based on its prevalence and popularity for at least the purpose of filtering out extremely well known and used programs as in Ramzan for reducing computational load. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432 /V.S/Examiner, Art Unit 2432
Read full office action

Prosecution Timeline

Show 15 earlier events
Nov 13, 2024
Examiner Interview Summary
Dec 16, 2024
Response Filed
Apr 02, 2025
Final Rejection mailed — §103, §112
Jun 26, 2025
Request for Continued Examination
Jun 30, 2025
Response after Non-Final Action
Sep 16, 2025
Non-Final Rejection mailed — §103, §112
Dec 23, 2025
Response Filed
Jun 03, 2026
Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12639449
SYSTEM AND METHOD FOR SCANNING CONTAINERS FOR VULNERABILITIES
2y 4m to grant Granted May 26, 2026
Patent 12632534
ACCESSING SECURE SYSTEM RESOURCES BY LOW PRIVILEGE PROCESSES
7y 12m to grant Granted May 19, 2026
Patent 12613999
DETECTING ELECTRONIC SYSTEM MODIFICATION
6y 10m to grant Granted Apr 28, 2026
Patent 12608482
DETERMINING A SECURITY SCORE IN BINARY SOFTWARE CODE
6y 5m to grant Granted Apr 21, 2026
Patent 12608501
Privacy-Preserving Log Analysis
5y 11m to grant Granted Apr 21, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

9-10
Expected OA Rounds
62%
Grant Probability
82%
With Interview (+20.8%)
3y 4m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 314 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month