`
`Control Number
`Patent No.
`Inventors
`Issued
`Title
`
`Confirmation No.:
`
`90/013,016
`7,647,633
`Edery et al.
`June 12, 2010
`MALICIOUS MOBILE CODE RUNTIME MONITORING
`SYSTEM AND METHODS
`
`9521
`
`TC/Art Unit
`Examiner:
`Attorney Dckt No.
`
`3992
`Adam L. Basehoar
`FINREXM0005
`
`Mail Stop Ex Parte Reexam
`Central Reexamination Unit
`Commissioner for Patents
`P.O. Box 1450
`Alexandria, VA 22313-14 50
`
`RESPONSE TO NON-FINAL OFFICE ACTION
`
`Sir:
`
`In response to the pending non-final Office Action dated November 19, 2013 (response
`
`due February 19, 2014 with granted extension), please consider the following remarks regarding
`
`the above-captioned patent.
`
`Amendments to the Specification begin on Page 2.
`
`Amendments to the Claims begin on Page 3.
`
`Remarks begin on Page 12.
`
`1
`
`Blue Coat Systems - Exhibit 1042 Page 1
`
`
`
`AMENDMENT TO THE SPECIFICATION
`
`Kindly replace the first paragraph of the specification on page 2 with the following:
`
`This application is a continuation of and incorporates by reference patent application Ser.
`
`No. 09/861,229, filed May 17, 2001 now U.S. Pat. No. 7,058,822, which claims benefit
`
`ofreference provisional application Ser. No. 60/205,591 entitled "Computer Network
`
`Malicious Code Runtime Monitoring," filed on May 17, 2000 by inventors Nimrod
`
`Itzhak V ered, et al. This application also incorporates by reference the provisional
`
`application Ser. No. 60/205,591. This application is also a Continuation-In-Part of and
`
`hereby incorporates by reference patent application Ser. No. 09/539,667, now U.S. Pat.
`
`No. 6,804,780, entitled "System and Method for Protecting a Computer and Network
`
`from Hostile Downloadables" filed on Mar. 30, 2000 by inventor Shlomo Touboul,
`
`which is a continuation of U.S. patent application Ser. No. 08/964,388, now U.S. Patent
`
`No. 6,092,194, entitled "System and Method for Protecting a Computer and a Network
`
`from Hostile Downloadables" filed on November 6, 1997 by inventor Shlomo Touboul.
`
`This application is also a Continuation-In-Part of and hereby incorporates by reference
`
`patent application Ser. No. 90/551,302 now U.S. Pat. No. 6,480,962, entitled "System
`
`and Method for Protecting a Client During Runtime From Hostile Downloadables", filed
`
`on Apr. 2000 by inventor Shlomo Touboul, which is a continuation of U.S. application
`
`Ser. No. 08/790,097, now U.S. Patent No. 6,167,520 entitled "System and Method For
`
`Protecting a Client From Hostile Downloadables", filed January 29, 1997 by inventor
`
`Shlomo Touboul.
`
`1
`
`Blue Coat Systems - Exhibit 1042 Page 2
`
`
`
`1. (Original; Rejected) A computer processor-based method, comprising:
`
`AMENDMENTS TO THE CLAIMS
`
`receiving, by a computer, downloadable-information;
`
`determining, by the computer, whether the downloadable-information includes executable code;
`and
`
`based upon the determination, transmitting from the computer mobile protection code to at least
`one information-destination of the downloadable-information, if the downloadable-information
`is determined to include executable code.
`
`2. (Original; Rejected) The method of claim 1, wherein the receiving includes monitoring
`received information of an information re-communicator.
`
`3. (Original; Rejected) The method of claim 2, wherein the information re-communicator is a
`network server.
`
`4. (Original; Rejected) The method of claim 1, wherein the determining comprises analyzing
`the downloadable-information for an included type indicator indicating an executable file type.
`
`5. (Original; Rejected) The method of claim 1, wherein the determining comprises analyzing
`the downloadable-information for an included type detector indicating an archive file that
`contains at least one executable.
`
`6. (Original; Rejected) The method of claim 1, wherein the determining comprises analyzing
`the downloadable-information for an included file type indicator and an information pattern
`corresponding to one or more information patterns that tend to be included within executable
`code.
`
`7. (Original; Rejected) The method of claim 1, further comprising receiving, by the computer,
`one or more executable code characteristics of executable code that is capable of being executed
`by the information-destination, and wherein the determining is conducted in accordance with the
`executable code characteristics.
`
`8. (Original; Not Rejected) A computer processor-based system for computer security, the
`system comprising
`
`2
`
`Blue Coat Systems - Exhibit 1042 Page 3
`
`
`
`an information monitor for receiving downloadable-information by a computer;
`
`a content inspection engine communicatively coupled to the information monitor for
`determining, by the computer, whether the downloadable-information includes executable code;
`and
`
`a protection agent engine communicatively coupled to the content inspection engine for causing
`mobile protection code ("MPC") to be communicated by the computer to at least one
`information-destination of the downloadable-information, if the downloadable-information is
`determined to include executable code.
`
`9. (Original; Not Rejected) The system of claim 8, wherein the information monitor intercepts
`received information received by an information re-communicator.
`
`10. (Original; Not Rejected) The system of claim 9, wherein the information re-communicator
`is a network server.
`
`11. (Original; Not Rejected) The system of claim 8, wherein the content inspection engine
`comprises a file type detector for determining whether the downloadable-information includes a
`file type indicator indicating an executable file type.
`
`12. (Original; Not Rejected) The system of claim 8, wherein the content inspection engine
`comprises a parser for parsing the downloadable-information and a content analyzer
`communicatively coupled to the parser for determining whether one or more downloadable(cid:173)
`information elements of the downloadable-information correspond with executable code
`elements.
`
`13. (Original; Not Rejected) A processor-based system for computer security, the system
`compnsmg:
`
`means for receiving downloadable-information;
`
`means for determining whether the downloadable-information includes executable code; and
`
`means for causing mobile protection code to be communicated to at least one information(cid:173)
`destination of the downloadable-information, if the downloadable-information is determined to
`include executable code.
`
`3
`
`Blue Coat Systems - Exhibit 1042 Page 4
`
`
`
`14. (Original; Not Rejected) A computer program product, comprising a computer usable
`medium having a computer readable program code therein, the computer readable program code
`adapted to be executed for computer security, the method comprising:
`
`providing a system, wherein the system comprises distinct software modules, and wherein the
`distinct software modules comprise an information re-communicator and a mobile code
`executor;
`
`receiving, at the information re-communicator, downloadable-information including executable
`code; and
`
`causing mobile protection code to be executed by the mobile code executor at a downloadable(cid:173)
`information destination such that one or more operations of the executable code at the
`destination, if attempted, will be processed by the mobile protection code.
`
`15. (Original; Not Rejected) The method of claim 14, wherein the mobile code executor is a
`Java Virtual Machine.
`
`16. (Original; Not Rejected) The method of claim 14, wherein the mobile code executor is the
`operating system, running native code executables.
`
`17. (Original; Not Rejected) The method of claim 14, wherein the mobile code executor is a
`subsystem of the operating system.
`
`18. (Original; Not Rejected) The method of claim 14, wherein the mobile code executor is a
`scripting host.
`
`19. (Original; Not Rejected) The method of claim 14, wherein there-communicator is at least
`one of a firewall and a network server.
`
`0. (Original; Not Rejected) The method claim 14, wherein executing the mobile protection code
`at the destination causes downloadable interfaces to resources at the destination to be modified
`such that at least one attempted operation of the executable code is diverted to the mobile
`protection code.
`
`21. (Original; Not Rejected) A processor-based system for computer security, the system
`compnsmg:
`
`4
`
`Blue Coat Systems - Exhibit 1042 Page 5
`
`
`
`receiving means for receiving, at an information re-communicator of a computer, downloadable(cid:173)
`information, including executable code; and
`
`mobile code means communicatively coupled to the receiving means for causing, by the
`computer, mobile protection code to be executed by a mobile code executor at a downloadable(cid:173)
`information destination such that one or more operations of the executable code at the
`destination, if attempted, will be processed by the mobile protection code.
`
`22. (Original; Not Rejected) The system of claim 21, wherein the mobile code executor is a
`Java Virtual Machine.
`
`23. (Original; Not Rejected) The system of claim 21, wherein the mobile code executor is an
`operating system, running native code executables.
`
`24. (Original; Not Rejected) The system of claim 21, wherein the mobile code executor is a
`subsystem of the windows operating system.
`
`25. (Original; Not Rejected) The system of claim 21, wherein the mobile code executor is a
`scripting host.
`
`26. (Original; Not Rejected) The system of claim 21, wherein there-communicator is at least
`one of a firewall and a network server.
`
`27. (Original; Not Rejected) The system of claim 21, wherein executing the mobile protection
`code at the destination causes downloadable interfaces to resources at the destination to be
`modified such that at least one attempted operation of the executable code is diverted to the
`mobile protection code.
`
`28. (Original; Rejected) A processor-based method, comprising:
`
`receiving a sandboxed package that includes mobile protection code ("MPC") and a
`Downloadable and one or more protection policies at a computer at a Downloadable-destination;
`
`causing, by the MPC on the computer, one or more operations attempted by the Downloadable to
`be received by the MPC;
`
`receiving, by the MPC on the computer, an attempted operation of the Downloadable; and
`
`5
`
`Blue Coat Systems - Exhibit 1042 Page 6
`
`
`
`initiating, by the MPC on the computer, a protection policy corresponding to the attempted
`operation.
`
`29. (Original; Rejected) The method of claim 28, wherein the sandboxed package is configured
`such that the MPC is executed first, the Downloadable is executed by the MPC and the
`protection policies are accessible to the MPC.
`
`30. (Original; Rejected) The method of claim 28, wherein the causing comprises modifying, by
`the MPC, interfaces of a corresponding downloadable to resources at the destination.
`
`31. (Original; Rejected) The method of claim 30, wherein the modifying is accomplished by
`initiating a loading of the Downloadable, thereby causing a mobile code executor to provide and
`initialize the interfaces, modifying one or more interface elements to divert corresponding
`attempted Downloadable operations to the MPC, and initiating execution of the Downloadable.
`
`32. (Original; Rejected) The method of claim 30, wherein the interfaces comprise an import
`address table ("IAT") of a native code executable downloadable.
`
`33. (Original; Rejected) The method of claim 30, wherein modifying the interfaces installs a
`filter-driver between the downloadable and the resources.
`
`34. (Original; Not Rejected) A processor-based system for computer security, the system
`compnsmg:
`
`a mobile code executor on a computer for initiating received mobile code; and
`
`a sandboxed package capable of being received and initiated by the mobile code executor on the
`computer, the sandboxed package including a Downloadable and mobile protection code
`("MPC") for causing one or more Downloadable operations to be intercepted by the computer
`and for processing the intercepted operations by the computer, if the Downloadable attempts to
`initiate the operations.
`
`35. (Original; Not Rejected) The system of claim 34, wherein the MPC comprises:
`
`an MPC installer for causing MPC elements to be installed;
`
`6
`
`Blue Coat Systems - Exhibit 1042 Page 7
`
`
`
`a Downloadable installer communicatively coupled to the MPC installer for installing the
`Downloadable;
`
`a resource access diverter communicatively coupled to the MPC installer for causing the
`Downloadable operations to be intercepted;
`
`a resource access analyzer communicatively coupled to the MPC installer for receiving an
`intercepted Downloadable operation and determining a protection policy corresponding to the
`intercepted Downloadable operation; and
`
`a policy enforcer communicatively coupled to the resource access analyzer for processing the
`intercepted Downloadable operation.
`
`36. (Original; Not Rejected) The system of claim 35, wherein the resource access diverter
`modifies one or more elements of an interface usable by the Downloadable to effectuate the
`Downloadable operations.
`
`37. (Original; Not Rejected) The system of claim 35, wherein the mobile code-executor is a
`Java Virtual Machine.
`
`38. (Original; Not Rejected) The system of claim 35, wherein the mobile code executor is an
`operating system, running native code executables.
`
`39. (Original; Not Rejected) The system of claim 35, wherein the mobile code executor is a
`subsystem of the operating system.
`
`40. (Original; Not Rejected) The system of claim 35, wherein the mobile code executor is a
`scripting host.
`
`41. (Original; Not Rejected) A processor-based system for computer security, the system
`compnsmg:
`
`receiving means for receiving a sandboxed package that includes mobile protection code
`("MPC") and a Downloadable and one or more protection policies at a Downloadable(cid:173)
`destination;
`
`monitoring means for causing, by the MPC, one or more operations attempted by the
`Downloadable to be received by the MPC;
`
`7
`
`Blue Coat Systems - Exhibit 1042 Page 8
`
`
`
`second receiving means receiving, by the MPC, an attempted operation of the Downloadable;
`and
`
`initiating means for initiating, by the MPC, a protection policy corresponding to the attempted
`operation.
`
`42. (NEW) A computer processor-based method, comprising:
`
`receiving, by a computer, multiple instances of downloadable-information, wherein at least one
`of the multiple instances of downloadable-information includes non-executable information, at
`least one of the multiple instances of downloadable-information includes executable information
`and at least one of the multiple instances of downloadable-information includes a combination of
`non-executable and executable code portions;
`
`determining, by the computer, whether each of the multiple instances of downloadable(cid:173)
`information includes executable code; and
`
`based upon the determination, transmitting from the computer mobile protection code to at least
`one information-destination of each instance of downloadable-information that is determined to
`include executable information and each instance of downloadable information that is
`determined to include a combination of non-executable and executable code portions.
`
`43. (NEW) A computer processor-based method, comprising:
`
`receiving, by a server, multiple instances of downloadable-information, wherein at least one of
`the multiple instances of downloadable-information includes non-executable information, at least
`one of the multiple instances of downloadable-information includes executable information and
`at least one of the multiple instances of downloadable-information includes a combination of
`non-executable and executable code portions;
`
`detecting, by a code detector associated with the server, whether each of the multiple instances of
`downloadable-information includes executable code; and
`
`if executable code is detected, transmitting from the server mobile protection code to at least one
`information-destination of each instance of downloadable-information that is determined to
`include executable information and each instance of downloadable information that is
`determined to include a combination of non-executable and executable code portions.
`
`44. (NEW) A computer processor-based method, comprising:
`
`receiving, by a computer, downloadable-information;
`
`determining, by the computer, whether the downloadable-information includes executable code;
`and
`
`8
`
`Blue Coat Systems - Exhibit 1042 Page 9
`
`
`
`based upon the determination, transmitting from the computer mobile protection code and the
`downloadable-information to at least one information-destination of the downloadable(cid:173)
`information, if the downloadable-information is determined to include executable code and
`transmitting the downloadable-information without the mobile protection code if the
`downloadable-information is determined not to include executable code.
`
`45. (NEW) A computer processor-based method, comprising:
`
`receiving, by a server, downloadable-information;
`
`detecting, by a code detector associated with the server, whether the downloadable-information
`includes executable code; and
`
`if executable code is detected, transmitting from the server mobile protection code and the
`downloadable-information to at least one information -destination of the downloadable(cid:173)
`information.
`
`46. (NEW) A computer processor-based method, comprising:
`
`receiving, by a computer, downloadable-information;
`
`determining, by a code detector associated with the computer, whether any portion of the
`downloadable-information is executable code; and
`
`if executable code is detected, transmitting from the computer mobile protection code and the
`downloadable-information to at least one information -destination of the downloadable(cid:173)
`information.
`
`47. (NEW) A computer processor-based method, comprising:
`
`receiving, by a computer, downloadable-information;
`
`determining, by a content inspection engine associated with the computer, whether the
`downloadable-information includes executable code, wherein determining whether the
`downloadable-information includes executable code includes analyzing downloadable(cid:173)
`information for operations to be executed on a computer; and
`
`based upon the determination, transmitting from the computer mobile protection code to at least
`one information-destination of the downloadable-information, if the downloadable-information
`is determined to include executable code.
`
`48. (NEW) A computer processor-based system for computer security, the system comprising:
`
`an information monitor for receiving downloadable-information by a computer;
`
`9
`
`Blue Coat Systems - Exhibit 1042 Page 10
`
`
`
`a content inspection engine communicatively coupled to the information monitor for
`determining, by the computer, whether the downloadable-information includes executable code,
`wherein determining if downloadable information includes executable code includes analyzing
`the downloadable information for operations to be executed on a computer; and
`
`a protection agent engine communicatively coupled to the content inspection engine for causing
`mobile protection code ("MPC") to be communicated by the computer to at least one
`information-destination of the downloadable-information, if the downloadable-information is
`determined to include executable code.
`
`49. (NEW) The computer processor-based system of claim 48, wherein the content of the
`downloadable information is analyzed for one or more of binary information and a pattern
`indicative of executable code.
`
`50. (NEW) A computer processor-based system for computer security, the system comprising:
`
`a server for receiving downloadable-information;
`
`a code detector associated with the server for detecting whether the downloadable-information
`includes executable code; and
`
`if executable code is detected, transmitting from the server mobile protection code and the
`downloadable-information to at least one information -destination of the downloadable(cid:173)
`information.
`
`51. (NEW) A computer processor-based system, comprising:
`
`a computer for receiving downloadable-information;
`
`a code detector associated with the computer for determining whether any portion of the
`downloadable-information is executable code; and
`
`if executable code is detected, transmitting from the computer mobile protection code and the
`downloadable-information to at least one information -destination of the downloadable(cid:173)
`information.
`
`52. (NEW) A computer processor-based system, comprising:
`
`a computer for receiving downloadable-information;
`
`a content inspection engine associated with the computer for determining whether the
`downloadable-information includes executable code, wherein determining whether the
`downloadable-information includes executable code includes analyzing the downloadable(cid:173)
`information for operations to be executed on a computer; and
`
`10
`
`Blue Coat Systems - Exhibit 1042 Page 11
`
`
`
`based upon the determination, transmitting from the computer mobile protection code to at least
`one information-destination of the downloadable-information, if the downloadable-information
`is determined to include executable code.
`
`11
`
`Blue Coat Systems - Exhibit 1042 Page 12
`
`
`
`I.
`
`OVERVIEW
`
`REMARKS
`
`This Reexamination concerns three prior art references, two of which are cited in the
`
`specification ofU.S. Patent No. 7,647,633 ("the '633 Patent) and were considered during a
`
`thorough examination by Examiner Christopher Revak. Requester's allegation of a substantial
`
`new question of patentability improperly presents the same question about the same previously
`
`considered prior art and, as such, should be rejected.
`
`One important aspect of the claimed invention is that it includes a step of determining
`
`whether the downloadable-information includes executable code. The prior art does not
`
`determine whether anything is executable. Ji, which is one of the references cited and
`
`distinguished in the specification of the '633 Patent, simply discloses a scanning system that is
`
`only configured to scan known applets for potential maliciousness and does not determine
`
`whether a Downloadable contains executable code. In fact, Ji specifically teaches that it does not
`
`scan non-applets. Liu is concerned with protecting a remote sever, not a client, and replacing
`
`Java class names so that its remote server can generate webpages with modified content. Like Ji,
`
`Liu does not determine whether a Downloadable includes executable code.
`
`Additionally, the prior art does not disclose receiving a sandboxed package. Ji discloses
`
`receiving a JAR archive file. A JAR archive file is a compressed file containing other files, like
`
`a zip file, and is not a sandboxed package. The secondary reference Golan, also cited and
`
`distinguished in the specification of the '633 Patent, fails to address Ji's sandboxed package
`
`deficiency as Golan's security monitor exists within a monitored web browser on a client
`
`computer and is never transmitted nor received. Moreover, a combination of Ji and Golan would
`
`yield inoperable results because the monitoring package of Ji would not function with the
`
`security monitor that exists within Golan's monitored web browser.
`
`For these and further reasons discussed below, this ex parte reexamination proceeding is
`
`now in condition for confirming the patentability of all of the original claims of the '633 Patent.
`
`II.
`
`STATUS
`
`A.
`
`Status of Specification
`
`The amendments to the specification are submitted in conjunction with Patent Owner's
`
`Petition to Accept Unintentionally Delayed Priority Claims pursuant to 37 C.P.R. § 1.78.
`
`12
`
`Blue Coat Systems - Exhibit 1042 Page 13
`
`
`
`B.
`
`Status of the Claims
`
`The patent under reexamination, U.S. Patent No. 7,647,633 ("the '633 Patent"), was
`
`granted on January 12, 2010, with forty-one claims. Third-party requester ("Requester") sought
`
`reexamination of claims 1-7 and 28-33 of the '633 patent. The Decision Granting Ex Parte
`
`Reexamination mailed November 19, 2013, found that a substantial new question of patentability
`
`had been raised with respect to claims 1-7 and 28-33. The Non-Final Office Action mailed
`
`November 19, 2013, rejects claims 1-7 and 28-33 based on the grounds listed below. Claims 8-
`
`27 and 34-41 are not subject to reexamination.
`
`Claims 42-52 are newly presented in this response. Claims 42-47 are method claims
`
`generally in the form of claim 1, claim 48 is a system claim generally in the form of claim 8 and
`
`claims 49-52 are system claims for implementing the methods of claims 45-47. Support for the
`
`alternative and/or additional elements therein can be found in at least the following portions of
`
`the specification of the '633 Patent: Figures 3, 4 and 5; Column 9:10-16; Column 9:54-56;
`
`Column 12:8-12; and Column 16:19-23. As requested by the Examiners, the Patent Owner has
`
`attempted to limit the number of new claims presented, weighing the fact that the reexamination
`
`procedures generally limit the Patent Owner's opportunity to amend to this single instance.
`
`C.
`
`Interview Summary
`
`The undersigned wishes to thank Examiner Basehoar, Examiner Proctor and Supervisor
`
`Kosowski for extending the courtesy of an interview to the Dawn-Marie Bey, Declarant Dr.
`
`Medvidovic, Declarant Phil Hartstein and other representatives of the patent owner on February
`
`4, 2014. During the interview, all grounds of rejection listed in Section III were discussed,
`
`including each cited reference. In particular, there was substantial discussion around the fact that
`
`all of the references fail to disclose at least determining whether the received downloadable(cid:173)
`
`information includes executable code. Additionally, Finjan representatives pointed out that Ji is
`
`addressed and differentiated from the claimed invention in the background section of the '633
`
`Patent and that claims of parent Patent No. 7,058,822, including the determining element, were
`
`held to be valid (and infringed) over Ji by the U.S. District Court of Delaware (affirmed by the
`
`Federal Circuit). Finally, the Finjan representatives highlighted the evidence of secondary
`
`considerations including licensing, commercial success, copying, and industry praise.
`
`13
`
`Blue Coat Systems - Exhibit 1042 Page 14
`
`
`
`III. GROUNDS OF REJECTION
`
`The USPTO made the following grounds of rejection:
`
`Ground 1: US Patent No. 5,983,348 ("Ji") allegedly anticipates claims 1-3 and 28-33
`
`under 35 U.S.C. 102(e).
`
`Ground 2:
`
`Ji allegedly anticipates claims 4-7 under 35 U.S.C. 1 02(b ).
`
`Ground 3: US Patent No. 6,058,482 ("Liu") allegedly anticipates claims 1-3 under 35
`
`U.S.C. 102(e).
`
`Ground 4: Liu allegedly anticipates claims 4 and 7 under 35 U.S.C. 102(b).
`
`Ground 5:
`
`Ji in view ofUS Patent No. 5,974,549 ("Golan") allegedly renders claims
`
`28-33 obvious under 35 U.S.C. 103(a).
`
`IV.
`
`SUMMARY OF THE CLAIMED INVENTION
`
`The claimed invention exists on an information recommunicator to protect network
`
`devices against security problems originating from network servers providing malicious content.
`
`One important aspect of the claimed invention is determining whether the downloadable(cid:173)
`
`information it receives includes executable code. Ideally, all executable code should be clearly
`
`marked as executable code. However, the patent identifies the growing problem where code may
`
`misidentify itself or may be obfuscated in a way to hide executable code within downloadable
`
`information. '633 Patent, 9:10-18 (where downloadable information is "a combination of non(cid:173)
`
`executable and one or more executable code portions (e.g. so-called Trojan horses that include a
`
`hostile Downloadable within a friendly one, combined, compressed or otherwise encoded files,
`
`etc.) [which] willlikel y remain undetected by a firewall or other more conventional protection
`
`systems."). By determining whether the downloadable-information it receives includes
`
`executable code, the claimed invention protects against executable code that is not clearly
`
`identified or otherwise obfuscated.
`
`Independent claim 1 of the '633 Patent requires three steps that are not disclosed or
`
`suggested by the cited references: (1) "Receiving, by a computer, downloadable-information;"
`
`(2) "Determining, by the computer, whether the downloadable-information includes executable
`
`code;" and (3) "Based upon the determination, transmitting from the computer mobile protection
`
`14
`
`Blue Coat Systems - Exhibit 1042 Page 15
`
`
`
`code to at least one information-destination of the downloadable-information, if the
`
`downloadable-information is determined to include executable code."
`
`Independent claim 28 of the '633 Patent requires four steps that are not disclosed or
`
`suggested by the cited references: (1) receiving a sandboxed package that includes mobile
`
`protection code ("MPC") and a Downloadable and one or more protection policies at a computer
`
`at a Downloadable-destination; (2) causing, by the MPC on the computer, one or more
`
`operations attempted by the Downloadable to be received by the MPC; (3) receiving, by the
`
`MPC on the computer, an attempted operation of the Downloadable; and ( 4) initiating, by the
`
`MPC on the computer, a protection policy corresponding to the attempted operation.
`
`A.
`
`Claim 1: Determining, by the computer, whether the downloadable(cid:173)
`information includes executable code
`
`The claimed invention requires determining, by the computer, whether the downloadable(cid:173)
`
`information includes executable code. This determination provides an active step of utilizing the
`
`downloadable-information received in the previous step to determine whether it includes
`
`executable code. As described in the patent, there are instances when code may misidentify
`
`itself, the code may obfuscate itself by some means, or the code may be imbedded in some
`
`unexpected place. '633 Patent, 9:10-18. Accordingly, the claimed invention describes how such
`
`obfuscated executable code can be identified by inflating compressed files ('633 Patent, 15:21-
`
`33) and parsing binary information and executable code patterns to detect executable code.
`
`('633 Patent, 16:16-35).
`
`B.
`
`Claim 1: Based upon the determination, transmitting from the computer
`mobile protection code to at least one information-destination of the
`downloadable-information, if the downloadable-information is determined to
`include executable code.
`
`The claimed invention also requires "based upon the determination, transmitting from the
`
`computer mobile protection code to at least one information-destination of the downloadable(cid:173)
`
`information, if the downloadable-information is determined to include executable code." As
`
`recited in the claim language, this step is required to be based on the previous determination that
`
`the downloadable-information includes executable code. By transmitting mobile protection code
`
`"based on the determination," the claimed invention allows for protection against executable
`
`code that are not well recognized within downloadable information.
`
`15
`
`Blue Coat Systems - Exhibit 1042 Page 16
`
`
`
`C.
`
`Claim 28: Receiving a sandboxed package that includes mobile protection
`code ("MPC") and a Downloadable and one or more protection policies at a
`computer at a Downloadable-destination.
`
`Independent claim 28 is directed to a different aspect of the claimed invention regarding
`
`the receiving of the sandboxed package at a destination. The sandboxed package is structured so
`
`that when it is received at its intended destination computer, the mobile protection code is
`
`executed prior to executing the downloadable, as illustrated in elements 340- 343 of FIGS. 3 and
`
`4 of the present specification. The sandboxed package also provides several functions,
`
`including initiating a Downloadable in a protective "sandbox." '633 Patent, 3:5-21.
`
`V.
`
`SUMMARY OF THE ASSERTED PRIOR ART
`
`A.
`
`Ji
`
`Ji discloses a scanning system that scans known applets for potential maliciousness. Ji
`
`does not determine whether received downloadable information includes anything that is
`executable. Instead, Ji's invention- which is only focused on applets 1 -assumes that every
`
`applet should be scanned:
`
`...................................................... ! ..
`
`:J::F· ::rc.:-:y ).g-,.~:·
`
`<)
`
`1:)
`__..---J.._-.--.... '--.._
`.... /
`'
`
`,~t···i'" <;:)
`
`Ji at Fig. 1 (Scanner 26, Applet and Internet 1 0). Although not explicitly disclosed in Ji, during
`
`the interview, it was