DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA. Specification The use of the WINDOWS [paragraphs 0002, 0016, 0029, and 0033] , have been noted in this application. They should be capitalized wherever they appear and be accompanied by the generic terminology. Although the use of trademarks is permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as trademarks. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale , or otherwise available to the public before the effective filing date of the claimed invention. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis ( i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 1-3, 5, 8-10, 13, 15-17, and 19 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by Mandal et al., (US 20210097186 A1) hereinafter referred to as Mandal. Regarding Claims 1, 10, and 16, Mandal discloses A method comprising: executing a software sample in a virtual machine, wherein a hypervisor created the virtual machine; [paragraph 0110, in some embodiments, entire computing devices or platforms may be virtualized, on a single device, or in a data center where virtualization may span one or a plurality of devices] based on invocation of a first function of an antimalware scan interface (AMSI) by an application or service of the virtual machine that executes the software sample, obtaining, by the hypervisor, an indication of a buffer comprising data submitted to the AMSI by the application or service; [paragraph 0049, Within analysis pipeline 204, a pre-execution phase 208 first receives the command line script 202 with the unknown reputation. Pre-execution phase 208 may analyze the command line itself for suspicious factors. This could include looking for suspicious flags or operations, such as execution with no profile, execution in Hidden Mode, a non-interactive PowerShell, an encoded command (e.g., encoded within Base64), execution policy bypass attempt, Invoke-Expression, and/or a suspicious parent process] analyzing the data stored in the buffer based on one or more criteria for detecting attempts to bypass the AMSI; [Table 1, “To Detect Anti-Malware Scan Interface (AMSI) Bypass attempt”] based on determining that a subset of the data satisfies a first of the one or more criteria, detecting an attempt by the software sample to bypass the AMSI; and blocking the attempt by the software sample to bypass the AMSI. [paragraph 0074, Adding up all the scores for behavior logged during the pre-execution phase and the execution phase, the Veil framework command line ultimately receives a score of 13. If, in this illustrative example, the threshold for detection of malice is set to 7, then the attempted operation from the Veil framework may be blocked] Regarding Claim 2, Mandal discloses wherein analyzing the data stored in the buffer comprises determining if the data stored in the buffer comprise one or more keywords that are indicative of AMSI bypass. [paragraph 0052, From pre-script execution stage logs, several important behaviors may be inspected within memory. Some events captured in this stage include, by way of illustrative and nonlimiting example] [Table 2, “Encoded Command” “Invoke-Expression”] Regarding Claim 3, Mandal discloses wherein determining that a subset of the data satisfies the one or more criteria comprises determining that the data stored in the buffer comprise a first of the one or more keywords. [paragraph 0050, within pre-execution phase 208, PowerShell.exe sets up those things required for script execution. This could include, by way of illustrative example, argument parsing, checks environment, execution policy, and similar. In some cases, several important tasks may need to take place for smooth execution of the PowerShell code. One of the major tasks is command line argument parsing = “command line argument parsing” results in identification of keywords] [paragraph 0052, From pre-script execution stage logs, several important behaviors may be inspected within memory. Some events captured in this stage include, by way of illustrative and nonlimiting example] [Table 2, “Execution Policy Bypass Attempt”, “Invoke-Expression”] Regarding Claims 5 and 19, Mandal discloses further comprising resuming execution of the software sample after blocking the attempt to bypass the AMSI by the software sample. [paragraph 0069, At block 294, the security agent hosting analysis pipeline 204 may stop execution, or at least belay execution until the action is confirmed by a human user or security administrator – teaches stopping execution but then resuming if confirmed by a user or admin] Regarding Claim 8, Mandal discloses further comprising inserting a code hook into the first function, wherein invocation of the first function triggers the code hook, wherein the hypervisor obtaining the indication of the buffer is based on the code hook being triggered. [paragraph 0051, Pre-execution phase 208 may provide feature hooks into some Windows APIs. By way of illustrative and nonlimiting example, hooked APIs may include the following] [Table 1] Regarding Claim 9, Mandal discloses further comprising designating the data stored in the buffer for malware analysis. [paragraph 0023, the correlation of one or a plurality of command line arguments can be used to assign an initial score for the process. This initial score may or may not be used to definitively determine that the process is malicious. In some embodiments, the initial score is used to weight the process more or less heavily toward being malicious. This weighting factor can then be used in conjunction with an execution behavior analysis to determine a more definitive malware score. The malware score may be compared to a threshold to determine whether detection should be triggered] Regarding Claims 13 and 17, Mandal discloses wherein the instructions to determine whether the data satisfy the one or more criteria comprise instructions to determine whether the data comprise one or more keywords that are indicative of AMSI bypass, and wherein the instructions to determine that the subset of the data satisfy the criteria comprise instructions to determine that the subset of the data comprise a first of the one or more keywords. [paragraph 0050, within pre-execution phase 208, PowerShell.exe sets up those things required for script execution. This could include, by way of illustrative example, argument parsing, checks environment, execution policy, and similar. In some cases, several important tasks may need to take place for smooth execution of the PowerShell code. One of the major tasks is command line argument parsing = “command line argument parsing” results in identification of keywords] [paragraph 0052, From pre-script execution stage logs, several important behaviors may be inspected within memory. Some events captured in this stage include, by way of illustrative and nonlimiting example] [Table 2, “Execution Policy Bypass Attempt”, “Invoke-Expression”] Regarding Claim 15, Mandal discloses wherein the program code further comprises instructions to hook into the first function of the AMSI, wherein the invocation of the first function by the application or the service running in the virtual machine triggers redirection of execution to the hypervisor, and wherein obtaining the indication of the buffer is based on invocation of the first function. [paragraph 0051, Pre-execution phase 208 may provide feature hooks into some Windows APIs. By way of illustrative and nonlimiting example, hooked APIs may include the following] [Table 1] Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis ( i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 4, 14, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Mandal, as applied to Claims 1, 10, and 16, respectively, above, in view of SYKORA, "Detecting Windows AMSI Bypass Techniques", Trend Micro, 12/21/2022 , hereinafter referred to as Sykora. Regarding Claim 4, Mandal discloses wherein the one or more keywords comprise at least one of one or more function call names [paragraph 0050, within pre-execution phase 208, PowerShell.exe sets up those things required for script execution. This could include, by way of illustrative example, argument parsing, checks environment, execution policy, and similar. In some cases, several important tasks may need to take place for smooth execution of the PowerShell code. One of the major tasks is command line argument parsing = “command line argument parsing” results in identification of keywords] [paragraph 0052, From pre-script execution stage logs, several important behaviors may be inspected within memory. Some events captured in this stage include, by way of illustrative and nonlimiting example] [Table 2, “Execution Policy Bypass Attempt”, “Invoke-Expression”] Mandal does not explicitly teach and an indication of a dynamic link library (DLL) associated with the AMSI. Sykora teaches and an indication of a dynamic link library (DLL) associated with the AMSI. [page 5, “LoadLibrary + any AMSI or related DLL”, “AMSI and related DLLs (DLL hijacking via amsi.dll)”] Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Sykora with the disclosure of Mandal. The motivation or suggestion would have been to “look for processes bypassing AMSI.” (page 5) Regarding Claims 14 and 18, Mandal discloses wherein the one or more keywords comprise at least one of one or more function call names [paragraph 0050, within pre-execution phase 208, PowerShell.exe sets up those things required for script execution. This could include, by way of illustrative example, argument parsing, checks environment, execution policy, and similar. In some cases, several important tasks may need to take place for smooth execution of the PowerShell code. One of the major tasks is command line argument parsing = “command line argument parsing” results in identification of keywords] [paragraph 0052, From pre-script execution stage logs, several important behaviors may be inspected within memory. Some events captured in this stage include, by way of illustrative and nonlimiting example] [Table 2, “Execution Policy Bypass Attempt”, “Invoke-Expression”] Mandal does not explicitly teach and an indication of a DLL associated with the AMSI. Sykora teaches and an indication of a DLL associated with the AMSI. [page 5, “LoadLibrary + any AMSI or related DLL”, “AMSI and related DLLs (DLL hijacking via amsi.dll)”] Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Sykora with the disclosure of Mandal. The motivation or suggestion would have been to “look for processes bypassing AMSI.” (page 5) Claims 6-7, 11-12, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Mandal, as applied to Claims 1, 10, and 16, respectively, above, in view of Pentest Laboratories, “AMSI Bypass Methods”, posted 5/17/2021 , hereinafter referred to as Pentest. Regarding Claim 6, Mandal does not explicitly teach further comprising registering a dummy AMSI provider in the virtual machine. Pentest teaches further comprising registering a dummy AMSI provider in the virtual machine. [page 4, Tom Carver created a proof of concept in the form of a DLL file which evades AMSI by hooking into the “AmsiScanBuffer” function. The “AmsiScanBuffer” will then be executed with dummy parameters. The DLL needs to be injected into the PowerShell process which the AMSI bypass will performed] Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Pentest with the disclosure of Mandal. The motivation or suggestion would have been for AMSI Evasions. (page 2) Regarding Claim 7, Mandal does not explicitly teach wherein the dummy AMSI provider comprises a DLL that does not implement malware detection, wherein registering the dummy AMSI provider enables the AMSI for the virtual machine. Pentest teaches wherein the dummy AMSI provider comprises a DLL that does not implement malware detection, wherein registering the dummy AMSI provider enables the AMSI for the virtual machine. [page 4, Tom Carver created a proof of concept in the form of a DLL file which evades AMSI by hooking into the “AmsiScanBuffer” function. The “AmsiScanBuffer” will then be executed with dummy parameters. The DLL needs to be injected into the PowerShell process which the AMSI bypass will performed] Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Pentest with the disclosure of Mandal. The motivation or suggestion would have been for AMSI Evasions. (page 2) Regarding Claim 11, Mandal does not explicitly teach wherein the program code further comprises instructions to register a dummy AMSI provider in the virtual machine, wherein registration of the dummy AMSI provider enables AMSI for the virtual machine. Pentest teaches wherein the program code further comprises instructions to register a dummy AMSI provider in the virtual machine, wherein registration of the dummy AMSI provider enables AMSI for the virtual machine. [page 4, Tom Carver created a proof of concept in the form of a DLL file which evades AMSI by hooking into the “AmsiScanBuffer” function. The “AmsiScanBuffer” will then be executed with dummy parameters. The DLL needs to be injected into the PowerShell process which the AMSI bypass will performed] Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Pentest with the disclosure of Mandal. The motivation or suggestion would have been for AMSI Evasions. (page 2) Regarding Claim 12, Mandal does not explicitly teach wherein the instructions to register the dummy AMSI provider comprise instructions to register a dummy dynamic link library (DLL). Pentest teaches wherein the instructions to register the dummy AMSI provider comprise instructions to register a dummy dynamic link library (DLL). [page 4, Tom Carver created a proof of concept in the form of a DLL file which evades AMSI by hooking into the “AmsiScanBuffer” function. The “AmsiScanBuffer” will then be executed with dummy parameters. The DLL needs to be injected into the PowerShell process which the AMSI bypass will performed] Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Pentest with the disclosure of Mandal. The motivation or suggestion would have been for AMSI Evasions. (page 2) Regarding Claim 20, Mandal does not explicitly teach further comprising instructions executable by the processor to cause the apparatus to register a dummy AMSI provider in the virtual machine, wherein registration of the dummy AMSI provider enables AMSI for the virtual machine, wherein the dummy AMSI provider comprises a dummy DLL. Pentest teaches further comprising instructions executable by the processor to cause the apparatus to register a dummy AMSI provider in the virtual machine, wherein registration of the dummy AMSI provider enables AMSI for the virtual machine, wherein the dummy AMSI provider comprises a dummy DLL. [page 4, Tom Carver created a proof of concept in the form of a DLL file which evades AMSI by hooking into the “AmsiScanBuffer” function. The “AmsiScanBuffer” will then be executed with dummy parameters. The DLL needs to be injected into the PowerShell process which the AMSI bypass will performed] Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Pentest with the disclosure of Mandal. The motivation or suggestion would have been for AMSI Evasions. (page 2) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to FILLIN "Examiner name" \* MERGEFORMAT ANDREW J STEINLE whose telephone number is FILLIN "Phone number" \* MERGEFORMAT (571)272-9923 . The examiner can normally be reached FILLIN "Work Schedule?" \* MERGEFORMAT M-F 10am-6pm CT . Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, FILLIN "SPE Name?" \* MERGEFORMAT Eleni Shiferaw can be reached at FILLIN "SPE Phone?" \* MERGEFORMAT (571) 272-3867 . The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ANDREW J STEINLE/ Primary Examiner, Art Unit 2497