`
`
`
`
`
`
`
`
`
`
`
`
`
`Exhibit 9
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 2 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 2 of 25
`
`Attorney’s Docket No.: FIN0008—DIV1
`
`PATENT
`
`IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
`
`Examiner: Ponnoreay Pich
`
`) )
`
`In Re Patent Application of:
`
`David Gruzman
`Yuval Ben-Itzhak
`
`)
`) Art Unit:
`)
`
`2435
`
`) )
`
`) )
`
`Application No: 12/814,584
`
`Filed:
`
`June 14, 2010
`
`SYSTEM AND METHOD FOR )
`INSPECTING DYNAMICALLY )
`GENERATED EXECUTABLE
`)
`CODE
`
`) )
`
`For:
`
`Mail Stop AMENDMENT
`Commissioner for Patents
`P. O. Box 1450
`
`Alexandria, VA 22313—1450
`
`AMENDMENT AND RESPONSE TO OFFICE ACTION
`
`UNDER 37 C.F.R. 1.111
`
`Sir:
`
`In response to the Office Action dated June 28, 2011,
`
`applicants respectfully request that the above-identified application be
`
`amended as follows.
`
`Atty. Docket No. FIN0008-DIV1
`
`-1-
`
`FINJAN-QUALYS 004932
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 3 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 3 of 25
`
`IN THE SPECIFICATION:
`
`Please amend paragraph [0003] of the original specification as
`
`follows:
`
`[0003]
`
`Originally computer viruses were transmitted as executable code
`
`inserted into files. As each new viruses m was discovered, a signature
`
`of the virus was collected by anti-virus companies and used from then on
`
`to detect the virus and protect computers against it. Users began
`
`routinely scanning their file systems using anti—virus software, which
`
`regularly updated its signature database as each new virus was
`
`discovered.
`
`Please amend paragraph [0008] of the original specification as
`
`follows:
`
`[0008]
`
`Assignee’s US Patent No. 6,092,194 entitled SYSTEM AND
`
`METHOD FOR PROTECTING A COMPUTER AND A NETWORK FROM
`
`HOSTILE DOWNLOADABLES, the contents of which are hereby
`
`incorporated by reference, describes gateway level behavioral analysis.
`
`Such behavioral analysis scans and parses content received at a gateway
`
`and generates a security profile for the content. A security profile is a
`
`general list or delineation of suspicious, or potentially malicious,
`
`operations that executable content may perform. The derived security
`
`profile is then compared with a security policy for the computer being
`
`protected, to determine whether or not the content’s security profile
`
`violates the computer’s security policy. A security policy is a general set
`
`of simple or complex rules, that may be applied logically in series or in
`
`parallel, which determine whether or not a specific operation is permitted
`
`Atty. Docket No. FIN0008-DIV1
`
`-2-
`
`FINJAN-QUALYS 004933
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 4 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 4 of 25
`
`or forbidden to be performed by the content on the computer being
`
`protected. Security policies are generally configurable, and set by an
`
`administrator of the computer that [[are]] i_s being protected.
`
`Please amend paragraph [0044] of the original specification as
`
`follows:
`
`[0044]
`
`The following definitions are employed throughout the
`
`specification and claims.
`
`SECURITY PGUGF POLICY — a set of one or more rules that determine
`
`whether or not a requested operation is permitted. A security policy may
`
`be explicitly configurable by a computer system administrator, or may be
`
`implicitly determined by application defaults.
`
`SECURITY PROFILE — information describing one or more suspicious
`
`operations performed by executable software.
`
`Please amend paragraph [0052] of the original specification as
`
`follows:
`
`[0052]
`
`Reference is now made to FIG. 2, which is a simplified block
`
`diagram of a system for protecting a computer from dynamically
`
`generated malicious executable code, in accordance with a preferred
`
`embodiment of the present invention. Three major components of the
`
`system are a gateway computer 205, a client computer 210, and a
`
`security computer 215. Gateway computer [[220]] E receives
`
`content from a network, such as the Internet, over a communication
`
`channel 220. Such content may be in the form of HTML pages, XML
`
`documents, Java applets and other such web content that is generally
`
`rendered by a web browser. Client computer 210 communicates with
`
`gateway computer 205 over a communication channel 225, and
`
`Atty. Docket No. FIN0008-DIV1
`
`-3-
`
`FINJAN-QUALYS 004934
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 5 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 5 of 25
`
`communicates with security computer 215 over a communication channel
`
`230. Gateway computer 205 receives data at gateway receiver 235,
`
`and transmits data at gateway transmitter 240. Similarly, client
`
`computer 210 receives data at client receiver 245, and transmits data at
`
`client transmitter 250; and security computer 215 receives data at
`
`security receiver 260 and transmits data at security transmitter 265.
`
`Please amend paragraph [0053] of the original specification as
`
`follows:
`
`[0053]
`
`It will be appreciated by those skilled in the art that the network
`
`topology of FIG. 2 is shown as a simple topology, for purposes of clarity
`
`of exposition. However, the present invention applies to general
`
`architectures including a plurality of client computers 210 that are
`
`seFV-iees serviced by one or more gateway computers 205, and by one or
`
`more security computers 215. Similarly, communication channels 220,
`
`225 and 230 may each be multiple channels using standard
`
`communication protocols such as TCP/IP.
`
`Please amend paragraph [0058] of the original specification as
`
`follows:
`
`[0058]
`
`Preferably, when call (2) is made, the substitute function sends
`
`the input to security computer 215 for inspection. Preferably, content
`
`modifier 265 also inserts program code for the substitute function into
`
`the content, or a link to the substitute function. Such a substitute
`
`function may be of the following general form shown in TABLE I.
`
`TABLE I: Generic substitute function
`
`
`Function Substitute_:function (input)
`{
`
`Atty. Docket No. FIN0008-DIV1
`
`-4-
`
`FINJAN-QUALYS 004935
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 6 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 6 of 25
`
`
`
`inspection_result = Call_security_computer_to_inspect(
`
`
`
`input, "D_o‘_ciient_computer);
`
`(inspection_resul:)
`
`Original_function(input)
`
`i:
`
` eLse
`
`//do nothing
`
`Preferably, the above function ca//_security_computer_to_inspect()
`
`passes the input intended for the original function to security computer
`
`215 for inspection by inspector 275.
`
`In addition, an [[1D]] Q of client
`
`computer 210 is also passed to security computer 215. When—seeu—rity
`
`I—Bs—Ee—eletemee—wheFe—Ee—Feturn—its—Fesuks— For example, the ID may
`
`correspond to a network address of client computer 210. When security
`
`computer 215 services many such client computers 210 at once, it uses
`
`the IDs to determine where to return each of its many results.
`
`Please amend paragraph [0062] of the original specification as
`
`follows:
`
`[0062]
`
`Content processor 270 processes the modified content
`
`generated by content modifier 265. Content processor may be a web
`
`browser running on client computer 210. When content processor
`
`invokes the substitute function call (2), the input is passed to security
`
`computer 215 for inspection. Processing of the modified content is then
`
`suspended until security computer 215 returns its inspection results to
`
`client computer 210. Upon receiving the inspection results, client
`
`computer 210 resumes processing the modified content.
`
`If
`
`inspection_result is true, then client computer 210 invokes the original
`
`function call (1); otherwise, [[the]] client computer 210 does not invoke
`
`the original function call (1).
`
`Auy.DocketNo.FIN0008-DIV1
`
`-5-
`
`FINJAN-QUALYS 004936
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 7 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 7 of 25
`
`Please amend paragraph [0065] of the original specification as
`
`follows:
`
`[0065]
`
`After determining a security profile for the input, inspector 275
`
`preferably retrieves information about permission settings for client
`
`computer 210, referred to as client computer’s “security policy”. Such
`
`permission settings are—generalH—seHay—an—adfinistrateeef—efient
`
`eem-pu-EeF-Z-LGra-nel determine which commands are permitted to be
`
`performed by content processor 270 while processing content, and which
`
`commands are not permitted. Security policies are also described in
`
`assignee’s US Patent No. 6,092,194. Security policies are flexible, and
`
`are generally set by an administrator of client computer 210. Preferably,
`
`security computer 215 has accesses to a database 280 of security profile
`
`information for a plurality of client computers. Database 280 may reside
`
`on security computer 215, or on a different computer.
`
`Please amend paragraph [0066] of the original specification as
`
`follows:
`
`[0066]
`
`By comparing the input’s security pel-iey 1m to client
`
`computer 210’s security pref-He My, input inspector 275 determines
`
`whether it is safe for client computer 210 to make the function call (1).
`
`Security computer 215 sends back to client computer 210 an indicator,
`
`inspection_resu/t, of the inspector’s determination. Comparison of a
`
`security pel-iey 1m to a security prefile My is also described in
`
`assignee’s US Patent No. 6,092,194. Security policies may include simple
`
`or complex logical tests for making a determination of whether or not an
`
`input is safe.
`
`Atty. Docket No. FIN0008-DIV1
`
`-6-
`
`FINJAN-QUALYS 004937
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 8 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 8 of 25
`
`Please amend paragraph [0071] of the original specification as
`
`follows:
`
`[0071]
`
`To this end, input inspector 275 preferably passes inputs it
`
`receives to input modifier 285, prior to scanning the input.
`
`Input
`
`modifier preferably operates similar to content modifier 265, and replaces
`
`function calls detected in the input with corresponding substitute function
`
`calls. Referring to the example above, when client computer 210 invokes
`
`the outer call to Document. write() in (5), the input [[ext]] M string
`
`“<hl>Document . write (
`
`
`
`“<hl><SCR::PT>SOme JavaScript</SCR:PT></h1>")</h1>"
`
`(6)
`
`is passed to security computer 215.
`
`Input modifier 285 detects the
`
`inner function call to Document. write() and replaces it with a
`
`corresponding substitute function call of the form (2).
`
`Input inspector
`
`275 then inspects the modified input. At this stage, if the input to the
`
`inner call to Document. writeO has not yet been dynamically generated,
`
`input inspector fl may not detect the presence of the JavaScript, and
`
`thus may not set inspection_resu/t to false if the JavaScript is malicious.
`
`However, security computer 215 returns the modified input to client
`
`computer 210. As such, when content processor 270 resumes
`
`processing, it adds the modified input into the HTML page. This
`
`guarantees that when content processor 270 begins to process the
`
`modified input, it will again invoke the substitute function for
`
`Document. write(), which in turn passes the input of the inner
`
`Document. write() call of (5) to security computer 215 for inspection.
`
`This time around input inspector 275 is able to detect the presence of the
`
`JavaScript, and can analyze it accordingly.
`
`Atty. Docket No. FIN0008-DIV1
`
`-7-
`
`FINJAN-QUALYS 004938
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 9 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 9 of 25
`
`Please amend paragraph [0076] of the original specification as
`
`follows:
`
`[0076]
`
`It may be appreciated that substitute functions as in TABLE I
`
`may also pass the name of the original function to the security computer.
`
`That is, the call to Cal/_security_computer_to_inspect() may also 1% a
`
`variable, say name_of_function, so that input inspector 275 can
`
`determine whether it is safe to invoke the specific original function with
`
`the input.
`
`In this way, input inspector 275 can distinguish between
`
`different functions with the same input.
`
`Please amend paragraph [0078] of the original specification as
`
`follows:
`
`[0078]
`
`At step 304, the gateway computer receives content from a
`
`network, the content on its way for delivery to the client computer. Such
`
`content may be in the form of an HTML web page, an XML document, a
`
`Java applet, an EXE file, JavaScript, VBScript, an ActiveX Control, or any
`
`such data container that can be rendered by a client web browser. At
`
`step 308, the gateway computer scans the content it received, for the
`
`presence of function calls. At step 312, the gateway computer branches,
`
`depending on whether or not function calls were detected at step 308.
`
`If
`
`function calls were detected, then at step [[318]] m the gateway
`
`computer replaces original function calls with substitute function calls
`
`within the content, thereby modifying the content.
`
`If function calls were
`
`not detected, then the gateway computer skips step [[318]] m. At
`
`step 320, the gateway computer sends the content, which may have
`
`been modified at step [[318]] 316, to the client computer.
`
`Atty. Docket No. FIN0008-DIV1
`
`-8-
`
`FINJAN-QUALYS 004939
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 10 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 10 of 25
`
`Please amend paragraph [0079] of the original specification as
`
`follows:
`
`[0079]
`
`At step 324 the client computer receives the content, as
`
`modified by the gateway computer. At step 328 the client computer
`
`begins to continuously process the modified content; i.e., the client
`
`computer runs an application, such as a web browser or a Java virtual
`
`machine, that processes the modified content. At step 332, whieh while
`
`processing the modified content, the client computer encounters a call
`
`(2) to a substitute function, such as the substitute function listed in
`
`TABLE I. Client computer then transmits the input to the substitute
`
`function and an identity of the client computer, to the security computer
`
`for inspection, at step 336. The identity of the client computer serves to
`
`inform the security computer where to return its inspection result. Since
`
`one security computer typically services many client computers, passing
`
`client computer identities is a way to direct the security computer where
`
`to send back its results. At this point, client computer suspends
`
`processing the modified content pending receipt of the inspection results
`
`from the security computer. As mentioned hereinabove, the client
`
`computer may also send the name of the original function to the security
`
`computer, for consideration in the inspection analysis.
`
`Please amend paragraph [0083] of the original specification as
`
`follows:
`
`[0083]
`
`At step 364 the security computer compares the security profile
`
`of the input under inspection with the security prefile my of the client
`
`computer, to determine if it is permissible for the client computer to
`
`invoke an original function with the input. Such determination may
`
`involve one or more simple or complex logical tests, structured in series
`
`Atty. Docket No. FIN0008-DIV1
`
`-9-
`
`FINJAN-QUALYS 004940
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 11 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 11 of 25
`
`or in parallel, or both, as described in assignee’s US Patent No.
`
`6,092,194.
`
`Please amend paragraph [0084] of the original specification as
`
`follows:
`
`[0084]
`
`At step 368 the security computer branches depending on the
`
`result of the comparison step 364.
`
`If the comparison step determines
`
`that the input is safe; i.e., that the input’s security profile does not violate
`
`the client computer’s security policy, then at step 372 the security
`
`computer sets an indicator of inspection results to true. Otherwise, at
`
`step 376 the security computer sets the indicator to false. At step 380
`
`the security computer returns the indicator to the client computer.
`
`In
`
`addition, if the security computer modified the input [[as]] a_t step 352,
`
`then it also returns the modified input to the client computer.
`
`Please amend paragraph [0088] of the original specification as
`
`follows:
`
`[0088]
`
`Two major components of the system, gateway computer 405
`
`and client computer 410 eemmunieatien communicate back and forth
`
`over communication channel 425. Gateway computer 405 includes a
`
`gateway receiver 435 and a gateway transmitter 440; and client
`
`computer 410 includes a client receiver 445 and a client transmitter
`
`450. Although FIG. 4 includes only one client computer, this is solely for
`
`the purpose of clarity of exposition, and it is anticipated that gateway
`
`computer 405 serves many client computers 410.
`
`Please amend paragraph [0089] of the original specification as
`
`follows:
`
`Atty. Docket No. FIN0008-DIV1
`
`-10-
`
`FINJAN-QUALYS 004941
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 12 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 12 of 25
`
`[0089]
`
`Gateway computer 405 receives content, such as web content,
`
`from a network, over eemmu—n-ieatiens communication channel 420.
`
`Client computer 410 includes a content processor 470, such as a web
`
`browser, which processes content received from the network.
`
`Atty. Docket No. FIN0008-DIV1
`
`-11-
`
`FINJAN-QUALYS 004942
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 13 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 13 of 25
`
`IN THE CLAIMS:
`
`Please substitute the following claims for the pending
`
`claims with the same number:
`
`1. (original)
`
`A system for protecting a computer from dynamically
`
`generated malicious content, comprising:
`
`a content processor (i) for processing content received over a
`
`network, the content including a call to a first function, and the call
`
`including an input, and (ii) for invoking a second function with the input,
`
`only if a security computer indicates that such invocation is safe;
`
`a transmitter for transmitting the input to the security computer
`
`for inspection, when the first function is invoked; and
`
`a receiver for receiving an indicator from the security computer
`
`whether it is safe to invoke the second function with the input.
`
`2. (currently amended)
`
`The system of claim 1 wherein said
`
`content processor (i) suspends processing of the content after said
`
`transmitter transmits the input to the security computer, and (ii) resumes
`
`processing of the med-if-ieel content after said receiver receives the
`
`indicator from the security computer.
`
`3. (currently amended)
`
`A non-transitory computer-readable
`
`storage medium storing program code for causing a computing device to:
`
`process content received over a network, the content including a
`
`call to a first function, and the call including an input;
`
`transmit the input for inspection, when the first function is
`
`invoked, and suspend processing of the content;
`
`Atty. Docket No. FIN0008-DIV1
`
`-12-
`
`FINJAN-QUALYS 004943
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 14 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 14 of 25
`
`receive an indicator of whether it is safe to invoke a second
`
`function with the input; and
`
`resume processing of the content after receiving the indicator,
`
`and invoke the second function with the input only if the indicator
`
`indicates that such invocation is safe.
`
`Atty. Docket No. FIN0008-DIV1
`
`-13-
`
`FINJAN-QUALYS 004944
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 15 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 15 of 25
`
`Please add the following new claims.
`
`4. (new)
`
`The system of claim 1 wherein the input is
`
`dynamically generated by said content processor prior to being
`
`transmitted by said transmitter.
`
`5. (new)
`
`The storage medium of claim 3 wherein the program
`
`code causes the computer device to dynamically generate the input prior
`
`to transmitting the input for inspection.
`
`6. (new)
`
`A system for protecting a computer from dynamically
`
`generated malicious content, comprising:
`
`a content processor (i) for processing content received over a
`
`network, the content including a call to a first function, and the first
`
`function including an input variable, and (ii) for calling a second function
`
`with a modified input variable;
`
`a transmitter for transmitting the input variable to a security
`
`computer for inspection, when the first function is called; and
`
`a receiver for receiving the modified input variable from the
`
`security computer.
`
`7. (new)
`
`The system of claim 6 wherein said content
`
`processor (i) suspends processing of the content after said transmitter
`
`transmits the input variable to the security computer, and (ii) resumes
`
`processing of the content after said receiver receives the modified input
`
`variable from the security computer.
`
`Atty. Docket No. FIN0008-DIV1
`
`-14-
`
`FINJAN-QUALYS 004945
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 16 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 16 of 25
`
`8. (new)
`
`The system of claim 6 wherein the input variable is
`
`dynamically generated by said content processor prior to being
`
`transmitted by said transmitter.
`
`9. (new)
`
`The system of claim 6 wherein the input variable
`
`includes a call to an additional function, and wherein the modified input
`
`variable includes a call to a modified additional function instead of the call
`
`to the additional function.
`
`10. (new)
`
`A non-transitory computer-readable storage medium
`
`storing program code for causing a computing device to:
`
`process content received over a network, the content including a
`
`call to a first function, and the first function including an input variable;
`
`transmit the input variable for inspection, when the first function
`
`is called, and suspend processing of the content;
`
`receive a modified input variable; and
`
`resume processing of the content after receiving the modified
`
`input variable, and calling a second function with the modified input
`
`variable.
`
`11. (new)
`
`The storage medium of claim 10 wherein the
`
`program code causes the computer device to dynamically generate the
`
`input variable prior to transmitting the input variable for inspection.
`
`12. (new)
`
`The storage medium of claim 10 wherein the input
`
`variable includes a call to an additional function, and wherein the
`
`Atty. Docket No. FIN0008-DIV1
`
`-15-
`
`FINJAN-QUALYS 004946
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 17 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 17 of 25
`
`modified input variable includes a call to a modified additional function
`
`instead of the call to the additional function.
`
`Atty. Docket No. FIN0008-DIV1
`
`-16-
`
`FINJAN-QUALYS 004947
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 18 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 18 of 25
`
`REMARKS
`
`Applicants’ representative has carefully studied the
`
`outstanding Office Action. The present amendment is intended to place
`
`the application in condition for allowance and is believed to overcome all
`
`of the objections and rejections made by the Examiner. Favorable
`
`reconsideration and allowance of the application are respectfully
`
`requested.
`
`Applicants have amended claims 2 and 3, and have
`
`added new claims 4 - 12. No new matter has been introduced, and
`
`support for the new and amended claims is provided below. Claims 1 —
`
`12 are presented for examination. Additionally, amendments to the
`
`specification have been made to add reference numerals from the figures,
`
`correct typographical errors and remove repetitive statements. The
`
`undersigned does not believe that new matter has been introduced by
`
`these amendments.
`
`Claim Rejections — 35 U.S.C. §112
`
`On page 2 of the Office Action, the Examiner has
`
`rejected claim 2 under 35 U.S.C. §112, second paragraph, as being
`
`indefinite. Applicants have amended this claim accordingly.
`
`Claim Rejections — 35 U.S.C. §101
`
`On pages 2 and 3 of the Office Action, the Examiner has
`
`rejected claim 3 under 35 U.S.C. §101 as being directed to non—statutory
`
`matter. Applicants have amended this claim to recite a “non-transitory
`
`computer-readable storage medium”.
`
`Atty. Docket No. FIN0008-DIV1
`
`-17-
`
`FINJAN-QUALYS 004948
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 19 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 19 of 25
`
`Claim Rejections — 35 U.S. C. §102
`
`On pages 3 and 4 of the Office Action, the Examiner has
`
`rejected claims 1 - 3 under 35 U.S.C. §102(b) as being anticipated by
`
`Albrecht, U.S. Publication No. 2001/0005889 (“Albrecht”).
`
`Brief Discussion of Prior Art
`
`Albrecht describes scanning of electronic files for
`
`computer viruses, whereby a first node that receives an electronic file
`
`conducts a dialogue with a second node that has a virus scanner. The
`
`second node identifies portions of the electronic file that the first node
`
`should transmit to the second node for scanning, and obviates the need
`
`for the first node to transmit the entire file.
`
`(Albrecht/ paragraphs [0005]
`
`— [0013]; Abstract; FIGS. 3 and 4)
`
`Response to Examiner’s Arguments
`
`The rejections of claims 1 — 3 on pages 3 and 4 of the
`
`Office will now be dealt with specifically.
`
`Claims 1, 2 and 4
`
`As to independent system claim 1, Applicants
`
`respectfully submit that the features in claim 1 of
`
`“a content processor (i) for processing content received
`
`over a network, the content including a call to a first function, and the
`
`call including an input, and (ii) for invoking a second function with
`
`the input, only if a security computer indicates that such invocation is
`
`safe”,
`
`Atty. Docket No. FIN0008-DIV1
`
`-18-
`
`FINJAN-QUALYS 004949
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 20 of 25
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 20 of 25
`
`“a transmitter for transmitting the input to the security
`
`computer for inspection, when the first function is invoked”, and
`
`“a receiver for receiving an indicator from the security
`
`computer whether it is safe to invoke the second function with the
`
`input”
`
`are neither shown nor suggested in Albrecht.
`
`In rejecting claim 1 on page 3 of the Office Action, the
`
`Examiner has cited Albrecht, paragraphs [0047] — [0049] as disclosing all
`
`of the above features. Applicants respectfully submit that none of the
`
`emphasized features are shown or suggested in Albrecht, as evidenced by
`
`the following arguments. MPEP 2143.03 states that
`
`"All words in a claim must be considered in judging the
`patentability of that claim against the prior art." In re Wilson, 424 F.2d
`1382, 1385, 165 USPQ 494, 496 (CPA 1970).
`
`I.
`
`Albrecht does not show or suggest the claimed
`
`invocation of a first function.
`
`Indeed, invocation of the electronic files, as interpreted
`
`in the framework of Albrecht, is performed at clients 2 of FIG. 1, whereas
`
`paragraphs [0047] — [0049] of Albrecht relate to protected systems 4 and
`
`virus scanning server 7 of FIG. 1. Neither of these latter computers
`
`actually invokes the electronic files.
`
`In distinction, the claimed content processor invokes
`
`the first function.
`
`II.
`
`Albrecht does not show or suggest the claimed
`
`transmitting an input of a first function to a security
`
`computer.
`
`Atty. Docket No. FIN0008-DIV1
`
`-19-
`
`FINJAN-QUALYS 004950
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 21 of 25
`Case 4:18-cv-07229—YGR Document 42-10 Filed 02/10/20 Page 21 of 25
`
`The portions of the electronic file which are transmitted
`
`are described by Albrecht as “a header portion of an electronic file or ofa
`
`block of data pointed to by a jump instruction located in the header”
`
`(Albrecht/ paragraphs [0012]).
`
`In distinction, the claimed transmitter transmits the
`
`input in a call to a first function.
`
`Because claims 2 and 4 depend from claim 1 and
`
`include additional features, Applicants respectfully submit that claims 2
`
`and 4 are not anticipated or rendered obvious by Albrecht.
`
`Accordingly claims 1, 2 and 4 are deemed to be
`
`allowable.
`
`Claims 3 and 5
`
`As to amended independent claim 3 for a computer—
`
`readable storage medium, Applicants respectfully submit that the feature
`
`in claim 3 of
`
`“storing program code for causing a computing device to:
`
`process content received over a network, the content including a call to
`
`a first function, and the call including an input; transmit the input
`
`for inspection, when the first function is invoked, and suspend
`
`processing of the content; receive an indicator of whether it is safe to
`
`invoke a second function with the input ...”,
`
`is neither shown nor suggested in Albrecht.
`
`Because claim 5 depends from claim 3 and includes
`
`additional features, Applicants respectfully submit that claim 5 is not
`
`anticipated or rendered obvious by Albrecht.
`
`Accordingly claims 3 and 5 are deemed to be allowable.
`
`Atty. Docket No. FIN0008-DIV1
`
`-20-
`
`FINJAN-QUALYS 004951
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 22 of 25
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 22 of 25
`
`Claims 6 — 9
`
`As to new independent system claim 6, Applicants
`
`respectfully submit that the features in claim 6 of
`
`“a content processor (i) for processing content received over a
`
`network,
`
`the content including a call to a first function, and the first
`
`function including an input variable, and (ii)
`
`for calling a second
`
`function with a modified input variable”,
`
`“a transmitter for transmitting the input variable to a security
`
`computer for inspection, when the first function is called”, and
`
`“a receiver for receiving the modified input variable from the
`
`security computer”
`
`are neither shown nor suggested in Albrecht.
`
`Because claims 7 — 9 depend from claim 6 and include
`
`additional features, Applicants respectfully submit that claims 7 - 9 are
`
`not anticipated or rendered obvious by Albrecht.
`
`Accordingly claims 6 - 9 are deemed to be allowable.
`
`Claims 10 — 12
`
`As to amended independent claim 10 for a computer—
`
`readable storage medium, Applicants respectfully submit that the feature
`
`in claim 10 of
`
`“program code for causing a computing device to:
`
`process content received over a network, the content including a call to a
`
`first function, and the first function including an input variable;
`
`transmit the input variable for inspection, when the first function is
`
`called, and suspend processing of the content; receive a modified input
`
`variable; and resume processing of the content after receiving the
`
`Atty. Docket No. FIN0008-DIV1
`
`-21-
`
`FINJAN-QUALYS 004952
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 23 of 25
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 23 of 25
`
`modified input variable, and calling a second function with the
`
`modified input variable”
`
`Because claims 11 and 12 depend from claim 10 and
`
`include additional features, Applicants respectfully submit that claims 11
`
`and 12 are not anticipated or rendered obvious by Albrecht.
`
`Accordingly claims 10 - 12 are deemed to be allowable.
`
`Support for New and Amended Claims in Original Specification
`
`New dependent claim 4 includes the feature that the
`
`input is dynamically generated by the content processor prior to being
`
`transmitted by the transmitter. This feature is supported in the original
`
`specification at least by paragraphs [0025], [0058], [0062] and [0091],
`
`and by FIGS. 2 and 4.
`
`New dependent claim 5 includes the feature that the
`
`program code causes the computing device to dynamically generate the
`
`input prior to transmitting the input for inspection. This feature is
`
`supported in the original specification at least by paragraphs [0025],
`
`[0079] and [0093], and by FIGS. 3 and 5.
`
`New independent claim 6 includes the feature that the
`
`content processor invokes a second function with a modified input
`
`variable, which is received by the receiver from the security computer.
`
`This feature is supported in the original specification at least by
`
`paragraphs [0060], [0063] and [0071], and by input modifier 285 of FIG.
`
`2.
`
`New dependent claim 7 includes the features that the
`
`content processor suspends processing of the content after the
`
`transmitter transmits the input variable to the security computer, and
`
`resumes processing of the content after the receiver receives the
`
`Atty. Docket No. FIN0008-DIV1
`
`-22-
`
`FINJAN-QUALYS 004953
`
`
`
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 24 of 25
`Case 4:18-cv-07229-YGR Document 42-10 Filed 02/10/20 Page 24 of 25
`
`modified input variable from the security computer. These features are
`
`supported in the original specification at