Remarks
Claims 1-18 are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/5/2025 has been entered.
Election/Restrictions
Newly amended claims 1-18 directed to an invention that is independent or distinct from the invention originally claimed for the following reasons:
Applicant has added a portion of the non-elected invention to the elected claims, which is not allowed. Here is a copy of the restriction dated 9/6/2024:
Election/Restrictions
This application contains claims directed to the following patentably distinct species of figure 8 and figure 9. The species are independent or distinct because the claims to the different species recite the mutually exclusive characteristics of such species, such as generating stub libraries to facilitate execution of a sample in an emulated environment in figure 8 and intercepting a loader response for a DLL search and generating a spoofed import response to facilitate execution of the sample in figure 9. In addition, these species are not obvious variants of each other based on the current record.
Applicant is required under 35 U.S.C. 121 to elect a single disclosed species, or a single grouping of patentably indistinct species, for prosecution on the merits to which the claims shall be restricted if no generic claim is finally held to be allowable. Currently, no claim is generic.
There is a serious search and/or examination burden for the patentably distinct species as set forth above because at least the following reason(s) apply:
--the species or groupings of patentably indistinct species have acquired a separate status in the art in view of their different classification;
--the species or groupings of patentably indistinct species have acquired a separate status in the art due to their recognized divergent subject matter; and/or
--the species or groupings of patentably indistinct species require a different field of search (e.g., searching different classes/subclasses or electronic resources, or employing different search strategies or search queries)
Applicant is advised that the reply to this requirement to be complete must include (i) an election of a species to be examined even though the requirement may be traversed (37 CFR 1.143) and (ii) identification of the claims encompassing the elected species or grouping of patentably indistinct species, including any claims subsequently added. An argument that a claim is allowable or that all claims are generic is considered nonresponsive unless accompanied by an election.
The election may be made with or without traverse. To preserve a right to petition, the election must be made with traverse. If the reply does not distinctly and specifically point out supposed errors in the election of species requirement, the election shall be treated as an election without traverse. Traversal must be presented at the time of election in order to be considered timely. Failure to timely traverse the requirement will result in the loss of right to petition under 37 CFR 1.144. If claims are added after the election, applicant must indicate which of these claims are readable on the elected species or grouping of patentably indistinct species.
Should applicant traverse on the ground that the species, or groupings of patentably indistinct species from which election is required, are not patentably distinct, applicant should submit evidence or identify such evidence now of record showing them to be obvious variants or clearly admit on the record that this is the case. In either instance, if the examiner finds one of the species unpatentable over the prior art, the evidence or admission may be used in a rejection under 35 U.S.C. 103 or pre-AIA 35 U.S.C. 103(a) of the other species.
Upon the allowance of a generic claim, applicant will be entitled to consideration of claims to additional species which depend from or otherwise require all the limitations of an allowable generic claim as provided by 37 CFR 1.141.
In the next response, Applicant elected the species of figure 8 (e.g., claim 1) and withdrew the species of figure 9 (e.g., claim 19). This election is still present and maintained. Therefore, all subject matter related to the non-elected invention must be removed from the claims and has been constructively removed from the interpretation of the claim. Accordingly, the subject matter directed to the non-elected species of figure 9 within claims 1-18 is withdrawn from consideration as being directed to a non-elected invention. See 37 CFR 1.142(b) and MPEP § 821.03. Applicant must remove this non-elected subject matter from the claims in response to this office action.
Since applicant has received an action on the merits for the originally presented invention, this invention has been constructively elected by original presentation for prosecution on the merits. Accordingly, the subject matter directed to figure 9 (e.g., intercepting a loader response for a DLL search and generating a spoofed import response to facilitate execution of the sample) of claims 1-18 is withdrawn from consideration as being directed to a non-elected invention and must be removed from the claims. See 37 CFR 1.142(b) and MPEP § 821.03.
Response to Arguments
Applicant's arguments filed 11/5/2025 have been fully considered but they are not persuasive.
Applicant cites 11 lines of claim 1, most of which has been added to the claims, alleges that “The Office Action relies on … Marinescu for purportedly teaching the generating of the stub library operation”, appears to quote a few paragraphs of Marinescu, and alleges “Marinescu fails to disclose performing any action for a missing stub DLL. The other applied references fail to cute the deficiencies of Marinescu” and then alleges that the references fails to disclose the 11 lines of claim 1 above. ++To the contrary, Marinescu discloses generating stub libraries by generating and/or prefetching them when they are missing, for example, in paragraph 44, Marinescu states “If an API call requires a stub DLL for simulation, at block 718, the stack data structure 206 is queried for the reference information of the selected API. The reference information obtained from the stack data structure 206 permits identification of the correct stub DLL to load into the virtual address space 210.” This clearly shows identifying that the API call requires a stub DLL, which is not yet loaded, and identifies the correct stub DLL “to load into the virtual address space 210”. It can then be generated/prefetched, for example, into virtual address space. Please also see additional portions of the reference, such as paragraphs 32, 34, 45-47, and 55, for example.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 7, 8, and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Marinescu (U.S. Patent Application Publication 2005/0187740 in view of Alpern (U.S. Patent Application Publication 2006/0047974).
Regarding Claim 1,
Marinescu discloses a system comprising:
A hardware processor configured to (Exemplary Citations: for example, Paragraphs 24-27 and associated figures, and all below citations that describe steps performed thereby; processing unit, for example);
Receive a sample for emulation for malware detection that is missing one or more expected libraries (Exemplary Citations: for example, Paragraphs 2-10, 29, 33, 37, and associated figures; receiving possible malware that needs a DLL, for example); and
Execute the sample in an emulation environment using one or more stub libraries that are automatically generated to use in place of the one or more expected libraries, wherein the one or more stub libraries facilitate execution of the sample in the emulation environment, and wherein the executing of the sample in the emulation environment comprises to (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures; executing, emulating, simulating, in a virtual environment using stub DLLs used in place of real DLLs, for example):
Identify required libraries that are not part of a base operating system (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures; determine DLL that needs a stub DLL, for example);
Generate the one or more stub libraries, wherein the one or more stub libraries correspond with the required libraries, wherein the generating of the one or more stub libraries comprises to (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures; stub DLL, for example):
Determine that a stub library of the one or more stub libraries is missing (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures; stub DLL, for example; if stub DLL is needed, for example); and
In response to a determination that the stub is missing, perform one or more of the following: A) intercept a loader response for the missing stub library and generate a spoofed import response, and B) prefetch the missing stub library (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures; loading, copying, etc., stub DLL, either by pre-fetching or by generating the copy as needed, for example); and
Install the one or more stub libraries inside the emulation environment (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures; installing the stub DLL, for example); and
A memory coupled to the processor and configured to provide the processor with instructions (Exemplary Citations: for example, Paragraphs 24-29 and associated figures, claims 15-35, and all above and below citations that describe steps that may be within these instructions; any memory/storage/medium that may provide any instructions to a processor, for example);
But does not explicitly disclose that identifying required libraries that are not part of a base operating system is performed by scanning an import table associated with the sample.
Alpern, however, discloses scan an import table associated with the sample to identify required libraries that are not part of a base operating system (Exemplary Citations: for example, Paragraphs 356-373, 402-414, and associated figures; checking import table for DLLs that should be loaded, suppressing loading such, and loading stub DLLs instead, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the library determination and loading techniques of Alpern into the proactive computer virus protection system of Marinescu in order to allow the system to easily determine DLLs for which stubs may be required, to use already-known specifications of libraries, to allow for suppressing libraries that should be loaded, and/or to increase security in the system.
Regarding Claim 15,
Claim 15 is a method claim that corresponds to system claim 1 and is rejected for the same reasons.
Regarding Claim 17,
Claim 17 is a medium claim that corresponds to system claim 1 and is rejected for the same reasons.
Regarding Claim 2,
Marinescu as modified by Alpern discloses the system of claim 1, in addition, Marinescu discloses that the emulation environment comprises a virtual machine instance (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures; virtual machine with virtual processing unit, virtual address space, I/O emulator, etc., for example).
Regarding Claim 16,
Claim 16 is a method claim that corresponds to system claim 2 and is rejected for the same reasons.
Regarding Claim 18,
Claim 18 is a product claim that corresponds to system claim 2 and is rejected for the same reasons.
Regarding Claim 3,
Marinescu as modified by Alpern discloses the system of claim 1, in addition, Marinescu discloses that the emulation environment comprises a virtual machine instance for a Windows operating system environment (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures; as above in Microsoft Win, for example).
Regarding Claim 7,
Marinescu as modified by Alpern discloses the system of claim 1, in addition, Marinescu discloses that the sample comprises an executable file (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures; executable file, for example).
Regarding Claim 8,
Marinescu as modified by Alpern discloses the system of claim 1, in addition, Marinescu discloses that the sample comprises an executable file that is missing at least one or more libraries that are a dependency for execution (Exemplary Citations: for example, Paragraphs 2-10, 29, 33, 37, and associated figures; possible malware that needs a DLL, for example).
Claims 4-6, 9, and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Marinescu in view of Alpern and BlackBerry (BlackBerry, “Malware Analysis with Dynamic Binary Instrumentation Frameworks”, 4/5/2021, 17 pages, acquired from https://blogs.blackberry.com/en/2021/04/malware-analysis-with-dynamic-binary-instrumentation-frameworks).
Regarding Claim 4,
Marinescu discloses that the emulation environment comprises a virtual machine instance for an operating system environment (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures);
But does not explicitly disclose that the operating system environment comprises a Linux operating system environment.
BlackBerry, however, discloses that the operating system environment comprises a Linux operating system environment (Exemplary Citations: for example, Page 1, Linux, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the malware analysis techniques of BlackBerry into the proactive computer virus protection system of Marinescu as modified by Alpern in order to allow the system to protect additional operating systems, to allow for operation on additional operating systems, to allow for better control of application monitoring, to allow for injection of code into programs to be monitored, and/or to increase security in the system.
Regarding Claim 5,
Marinescu discloses that the emulation environment comprises a virtual machine instance for an operating system environment (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures);
But does not explicitly disclose that the operating system environment comprises an Apple macOS (OSX) or iOS operating system environment.
BlackBerry, however, discloses that the operating system environment comprises an Apple macOS (OSX) or iOS operating system environment (Exemplary Citations: for example, Page 1, iOS, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the malware analysis techniques of BlackBerry into the proactive computer virus protection system of Marinescu as modified by Alpern in order to allow the system to protect additional operating systems, to allow for operation on additional operating systems, to allow for better control of application monitoring, to allow for injection of code into programs to be monitored, and/or to increase security in the system.
Regarding Claim 6,
Marinescu discloses that the emulation environment comprises a virtual machine instance for an operating system environment (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures);
But does not explicitly disclose that the operating system environment comprises an Android operating system environment.
BlackBerry, however, discloses that the operating system environment comprises an Android operating system environment (Exemplary Citations: for example, Page 1, Android, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the malware analysis techniques of BlackBerry into the proactive computer virus protection system of Marinescu as modified by Alpern in order to allow the system to protect additional operating systems, to allow for operation on additional operating systems, to allow for better control of application monitoring, to allow for injection of code into programs to be monitored, and/or to increase security in the system.
Regarding Claim 9,
Marinescu discloses that the sample comprises a Windows executable file (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures);
But does not explicitly disclose that the executable file is a PE file.
BlackBerry, however, discloses that the sample comprises a Windows PE file (Exemplary Citations: for example, Page 1; Scripting with Frida-Python section, pages 8-9; Windows PE files, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the malware analysis techniques of BlackBerry into the proactive computer virus protection system of Marinescu as modified by Alpern in order to allow the system to protect additional operating systems, to allow for operation on additional operating systems, to allow for better control of application monitoring, to allow for injection of code into programs to be monitored, and/or to increase security in the system.
Regarding Claim 10,
Marinescu discloses that the sample comprise a Windows executable file that is missing at least one or more libraries that are a dependency for execution (Exemplary Citations: for example, Paragraphs 2-12, 22, 24-27, 29, 33-35, 37-57, and associated figures);
But does not explicitly disclose that the executable file is a PE file.
BlackBerry, however, discloses that the sample comprises a Windows PE file (Exemplary Citations: for example, Page 1; Scripting with Frida-Python section, pages 8-9; Windows PE files, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the malware analysis techniques of BlackBerry into the proactive computer virus protection system of Marinescu as modified by Alpern in order to allow the system to protect additional operating systems, to allow for operation on additional operating systems, to allow for better control of application monitoring, to allow for injection of code into programs to be monitored, and/or to increase security in the system.
Claims 11 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Marinescu in view of Alpern and Salsamendi (U.S. Patent 10,152,597).
Regarding Claim 11,
Marinescu discloses that the hardware processor is further configured to:
Receive a plurality of malware samples (Exemplary Citations: for example, Paragraphs 2-10, 29, 33, 37, and associated figures);
But does not explicitly disclose deduplicate the plurality of malware samples.
Salsamendi, however, discloses receive a plurality of malware samples (Exemplary Citations: for example, Abstract, Column 13, line 15 to Column 16, line 28; and associated figures; receiving multiple samples, for example); and
Deduplicate the plurality of malware samples (Exemplary Citations: for example, Abstract, Column 13, line 15 to Column 16, line 28; and associated figures; deduplicating, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the malware deduplicating techniques of Salsamendi into the proactive computer virus protection system of Marinescu as modified by Alpern in order to allow the system to detect repacked malware in order to better and more easily detect malware, to reduce computational burden by detecting duplicate malware prior to analysis of such, to provide for more efficient malware detection, and/or to increase security in the system.
Regarding Claim 12,
Marinescu discloses that the hardware processor is further configured to:
Receive a plurality of malware samples (Exemplary Citations: for example, Paragraphs 2-10, 29, 33, 37, and associated figures);
Output a first malware sample (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures); and
Execute the first malware sample in the emulation environment (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures);
But does not explicitly disclose deduplicate the plurality of malware samples to.
Receive a plurality of malware samples (Exemplary Citations: for example, Abstract, Column 13, line 15 to Column 16, line 28; and associated figures);
Deduplicate the plurality of malware samples to output a first malware sample (Exemplary Citations: for example, Abstract, Column 13, line 15 to Column 16, line 28; and associated figures); and
Execute the first malware sample in the emulation environment (Exemplary Citations: for example, Abstract, Column 8, line 8 to Column 10, line 62; dynamic analysis, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the malware deduplicating techniques of Salsamendi into the proactive computer virus protection system of Marinescu as modified by Alpern in order to allow the system to detect repacked malware in order to better and more easily detect malware, to reduce computational burden by detecting duplicate malware prior to analysis of such, to provide for more efficient malware detection, and/or to increase security in the system.
Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Marinescu in view of Alpern and Cohen (U.S. Patent 10,102,374).
Regarding Claim 13,
Marinescu discloses that the hardware processor is further configured to terminate an entire process (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures; Windows processors are configured to terminate processes, for example).
Cohen also discloses that the hardware processor is further configured to terminate an entire process (Exemplary Citations: for example, Column 2, line 63 to Column 3, line 35; Column 15, lines 1-19; Column 19, lines 18-23; Column 27, lines 19-47; Column 27, line 60 to Column 28, line 22; and associated figures; terminate process, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the remediation techniques of Cohen into the proactive computer virus protection system of Marinescu as modified by Alpern in order to allow the system to generate and adhere to a remediation plan when encountering malware, to allow for explicit termination of offending code, to ensure that all portions of code that need to be terminated are terminated, and/or to increase security in the system.
Regarding Claim 14,
Marinescu discloses that the hardware processor is further configured to terminate a thread associated with a stub library call (Exemplary Citations: for example, Paragraphs 9-12, 22, 24-27, 33-35, 38-57, and associated figures; Windows processors are configured to terminate threads, for example).
Cohen also discloses that the hardware processor is further configured to terminate a thread associated with a stub library call (Exemplary Citations: for example, Column 2, line 63 to Column 3, line 35; Column 15, lines 1-19; Column 19, lines 18-23; Column 27, lines 19-47; Column 27, line 60 to Column 28, line 48; and associated figures; terminate thread associated with malicious activity, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the remediation techniques of Cohen into the proactive computer virus protection system of Marinescu as modified by Alpern in order to allow the system to generate and adhere to a remediation plan when encountering malware, to allow for explicit termination of offending code, to ensure that all portions of code that need to be terminated are terminated, and/or to increase security in the system.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey D. Popham/Primary Examiner, Art Unit 2432