decoration decoration
Stories

GROKLAW
When you want to know more... 		decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.

You won't find me on Facebook

Donate

Donate Paypal

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments

Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Anatomy of a Dying Patent - The Reexamination of Trend Micro's '600 Patent
Monday, June 13 2011 @ 09:05 PM EDT

On May 19, 2011, the U.S. Patent and Trademark Office issued a Final Rejection [PDF] in the reexamination of Trend Micro's U.S. patent 5,623,600 (the "'600 patent"). Groklaw has covered the story of Trend Micro's assertion of this patent from early on, and many of our readers helped identify and contribute prior art relied upon in the reexamination. It strikes us as worthwhile to relay the history of this litigation and this reexamination as an object lesson of what can happen to a patent holder asserting a weak patent.

To begin this story we need to go back to September 26, 1995, the day Trend Micro filed the original patent application for what later issued as the '600 patent to see what Trend Micro originally claimed as their invention. Here are the claims as stated in the application:

WHAT IS CLAIMED IS:

1. A system for detecting and selectively removing/viruses in data transfers, the system comprising:

a memory for storing data and routines, the memory having inputs and outputs, the memory including a server/or scanning data for a virus and specifying data handling actions dependent on an existence of the virus;

a communications unit for receiving and sending data in response to control signals, the communications unit having an input and an output; and

a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit; the processing unit having inputs and outputs; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit; the outputs of the processing unit coupled to the inputs of memory, the input of the communications unit, the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted.

2. The system of claim l, wherein the server includes:

a proxy server for receiving data to be transferred, the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses, the proxy server having a data input, a data output and a control output, the data input coupled to receive the data to be transferred; and

a daemon for transferring data from the proxy server in response to control signals from the proxy server, the daemon having a control input, a data input and a data output, the control input of the daemon coupled to the control output of the proxy server for receiving control signals, and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred.

3. The system of claim 2, wherein the proxy server is a FTP proxy server that handles evaluation and transfer of data files, and the daemon is an FTP daemon that communicates with a recipient node and transfers data files to the recipient node.

4. The system of claim 2, wherein the proxy server is a SMTP proxy server that handles evaluation and transfer of messages, and the daemon is an SMTP daemon that communicates with a recipient node and transfers messages to the recipient node.

5. A computer implemented method for detecting viruses in data transfers between a first computer and a second computer, the method comprising the steps of:

receiving at a server a data transfer request including a destination address;

electronically transmitting data to the server;

determining whether the/data contains a virus at the server;

performing a preset action on the data using the server if the data contains a virus; and

sending the data to the destination address if the data does not contain a virus.

6. The method of claim 5, further comprising the steps of storing the data in a temporary file at the server after the step of electronically transmitting; and wherein the step of determining includes scanning the data for a virus using the server.

7. The method of claim 6, wherein the step of scanning is performed using in signature scanning process.

8. The method of claim 5, wherein the step of performing a preset action on the data using the server comprises performing one step from the group of:

transmitting the data unchanged;

not transmitting the data; and

storing the data in a file with a new name and notifying a recipient of the data transfer request of the new file name.

9. The method of claim 5, further comprising the steps of:

determining whether the data is of a type that is likely to contain a virus; and

transmitting the data from the server to the destination without performing the steps of scanning, determining, performing and sending if the data is not of a type that is likely to contain a virus.

10. The method of claim 9 wherein the step of determining whether the data is of a type that is likely to contain a virus is performed by comparing an extension type of a file name for the data to a group of known extension types.

11. The method of claim 5 further comprising the steps of:

determining whether the data is being transferred into a first network by comparing the destination address to valid addresses for the first network;

wherein the server is a FTP proxy server;

wherein the step of electronically transmitting data comprises the steps of transferring the data from a client node to the FTP proxy server, if the data is not being transferred into the first network; and

wherein the step of electronically transmitting data comprises the steps of transferring the data from a server task to an FTP daemon, and then from the FTP daemon to the FTP proxy server if the data is being transferred into the first network.

12. The method of claim 5 further comprising the steps of:

determining whether the data is being transferred into a first network by comparing the destination address to valid addresses for the first network;

wherein the server is a FTP proxy server;

wherein the step of sending the data to the destination address comprises transferring the data from the FTP proxy server to a node having the destination address, if the data is being transferred into the first network; and

wherein the step of sending the data to the destination address comprises transferring the data from the FTP proxy server to a FTP daemon, and then from an FTP daemon to a node having the destination address, if the data is not being transferred into the first network.

13. A computer implemented method/for detecting viruses in a mail message transferred between a first computer and a second computer, the method comprising the steps of:

receiving a mail message request including a destination address;

electronically transmitting the mail message to a server;

determining whether the mail message contains a virus;

performing a preset action on the mail message if the mail message contains a virus; and

sending the mail message to the destination address if the mail message does not contains a virus.

14. The method of claim 13, wherein the step of determining whether the mail message contains a virus is performed by scanning the mail message for encoded portions.

15. The method of claim 14, wherein the step of scanning the mail message for encoded portions searches for unencoded portions.

16. The method of claim 14, wherein:

the step of sending the mail message to the destination address is performed if the mail message does not contain any encoded portions;

the server includes a SMTP proxy server and a SMTP daemon; and

the step of sending the mail message comprises transferring the mail message from the SMTP proxy server to the SMTP daemon, and transferring the mail message from the SMTP daemon to a node having an address matching the destination address.

17. The method of claim 13, wherein the step of determining whether the mail message contains a virus, further comprises the steps of:

storing the message in a temporary file;

scanning the temporary file for viruses; and

testing whether the scanning step found a virus.

18. The method of claim 13, wherein/the step of determining whether the mail message contains a virus, further comprises the step of:

determining whether the mail message contains any encoded portions;

storing each encoded portion of the mail message in a separate temporary file;

decoding the encoded portions of the mail message to produced decoded portions of the mail/message; scanning each of the decoded portions for a virus; and

testing whether the scanning step found any viruses.

19. The method of claim 18, wherein step of scanning is performed using in signature scanning process.

20. The method of claim 14, wherein the step of performing/a preset action on the mail message comprises performing one step from me group of:

transferring the mail message unchanged;

not transferring the mail message; and

storing the mail message as file with a new name and notifying a recipient of the mail message request of the new file name; and

creating a modified mail message by writing the output of the determining step into the modified mail message and transferring the mail message to the destination address.

21. The method of claim 18, wherein the step of performing a preset action on the mail message comprises performing one step from the group of:

transferring the mail message unchanged;

transferring the mail message with the encoded portions having a virus deleted; and

renaming the encoded portions of the mail message containing a virus, and storing the renamed portions as files in a specified directory on the server and notifying a recipient of the renamed files and directory; and

writing the output of the determining step into the mail message in place of respective encoded portions that contain a virus to create a modified mail message and sending the modified mail message.

22. An apparatus for detecting viruses in data transfers between a first computer and a second computer, the apparatus comprising:

means for receiving a data transfer request including a destination address;

means for electronically transmitting data to a server;

means for determining whether the data contains a virus at the server;

means for performing a preset action on the data using the server if the data contains a virus; and means for sending the data to the destination address if the data does not contain a virus.

23. The apparatus of claim 22, wherein means for determining includes a means for scanning that scans/he data using in a signature scanning process.

24. The apparatus of claim 22, wherein the means for performing a preset action comprises:

means for transmitting the data unchanged;

means for not transmitting the data; and

means for storing the data in a file with a new name and notifying a recipient of the data transfer request of the new file name.

25. The apparatus of claim 22, further comprising:

a second means for determining whether the data is of a type that is likely to contain a virus; and

means for transmitting the data from the server to the destination without performing the steps of scanning, determining, performing and sending, if the data is not of a type that is likely to contain a virus.

26. The apparatus of claim 22, further comprising means for determining whether the data is being transferred into a first network by comparing the destination address to valid addresses for the first network.

Those are the claims Trend Micro originally requested in its application. Here are the claims as they were finally allowed [PDF] on April 22, 1997:

What is claimed is:

1. A system for detecting and selectively removing viruses in data transfers, the system comprising:

a memory for storing data and routines, the memory having inputs and outputs, the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus;

a communications unit for receiving and sending data in response to control signals, the communications unit having an input and an output;

a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit; the processing unit having inputs and outputs; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit; the outputs of the processing unit coupled to the inputs of memory, the input of the communications unit, the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted;

a proxy server for receiving data to be transferred, the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses, the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred; and

a daemon for transferring data from the proxy server in response to control signals from the proxy server, the daemon having a control input, a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals, and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred.

2. The system of claim 1, wherein the proxy server is a FTP proxy server that handles evaluation and transfer of data files, and the daemon is an FTP daemon that communicates with a recipient node and transfers data files to the recipient node.

3. The system of claim 1, wherein the proxy server is a SMTP proxy server that handles evaluation and transfer of messages, and the daemon is an SMTP daemon that communicates with a recipient node and transfers messages to the recipient node.

4. A computer implemented method for detecting viruses in data transfers between a first computer and a second computer, the method comprising the steps of:

receiving at a server a data transfer request including a destination address;

electronically receiving data at the server;

determining whether the data contains a virus at the server;

performing a preset action on the data using the server if the data contains a virus;

sending the data to the destination address if the data does not contain a virus;

determining whether the data is of a type that is likely to contain a virus; and

transmitting the data from the server to the destination without performing the steps of determining whether the data contains a virus and performing a preset action if the data is not of a type that is likely to contain a virus.

5. The method of claim 4, further comprising the steps of storing the data in a temporary file at the server after the step of electronically transmitting; and wherein the step of determining includes scanning the data for a virus using the server.

6. The method of claim 5, wherein the step of scanning is performed using a signature scanning process.

7. The method of claim 4, wherein the step of performing a preset action on the data using the server comprises performing one step from the group of:

transmitting the data unchanged;

not transmitting the data; and

storing the data in a file with a new name and notifying a recipient of the data transfer request of the new file name.

8. The method of claim 4, wherein the step of determining whether the data is of a type that is likely to contain a virus is performed by comparing an extension type of a file name for the data to a group or known extension types.

9. The method of claim 4, further comprising the steps of:

determining whether the data is being transferred into a first network by comparing the destination address to valid addresses for the first network;

wherein the server is a FTP proxy server;

wherein the step of electronically receiving data comprises the steps of transferring the data from a client node to the FTP proxy server, if the data is not being transferred into the first network; and

wherein the step of electronically receiving data comprises the steps of transferring the data from a server task to an FTP daemon, and then from the FTP daemon to the FTP proxy server if the data is being transferred into the first network.

10. The method of claim 4, further comprising the steps of:

determining whether the data is being transferred into a first network by comparing the destination address to valid addresses for the first network;

wherein the server is a FTP proxy server;

wherein the step of sending the data to the destination address comprises transferring the data from the FTP proxy server to a node having the destination address, if the data is being transferred into the first network; and

wherein the step of sending the data to the destination address comprises transferring the data from the FTP proxy server to a FTP daemon, and then from an FTP daemon to a node having the destination address, if the data is not being transferred into the first network.

11. A computer implemented method for detecting viruses in a mail message transferred between a first computer and a second computer, the method comprising the steps of:

receiving a mail message request including a destination address;

electronically receiving the mail message at a server;

determining whether the mail message contains a virus, the determination of whether the mail message contains a virus comprising determining whether the mail message includes any encoded portions, storing each encoded portion of the mail message in a separate temporary file, decoding the encoded portions of the mail message to produced decoded portions of the mail message, scanning each of the decoded portions for a virus, and testing whether the scanning step found any viruses;

performing a preset action on the mail message if the mail message contains a virus; and

sending the mail message to the destination address if the mail message does not contains a virus.

12. The method of claim 11, wherein the step of determining whether the mail message includes any encoded portions searches for uuencoded portions.

13. A computer implemented method for detecting viruses in a mail message transferred between a first computer and a second computer, the method comprising the steps of:

receiving a mail message request including a destination address; electronically receiving the mail message at a server; scanning the mail message for encoded portions; determining whether the mail message contains a virus;

performing a preset action on the mail message if the mail message contains a virus;

sending the mail message to the destination address if the mail message does not contains a virus; and

wherein the step of sending the mail message to the destination address is performed if the mail message does not contain any encoded portions; the server includes a SMTP proxy server and a SMTP daemon; and the step of sending the mail message comprises transferring the mail message from the SMTP proxy server to the SMTP daemon and transferring the mail message from the SMTP daemon to a node having an address matching the destination address.

14. The method of claim 11, wherein the step of determining whether the mail message contains a virus, further comprises the steps of:

storing the message in a temporary file;

scanning the temporary file for viruses; and

testing whether the scanning step found a virus.

15. The method of claim 11, wherein step of scanning is performed using a signature scanning process.

16. The method of claim 11, wherein the step of performing a preset action on the mail message comprises performing one step from the group of:

transferring the mail message unchanged;

not transferring the mail message;

storing the mail message as a file with a new name and notifying a recipient of the mail message request of the new file name; and

creating a modified mail message by writing the output of the determining step into the modified mail message and transferring the mail message to the destination address.

17. The method of claim 11, wherein the step of performing a preset action on the mail message comprises performing one step from the group of:

transferring the mail message unchanged;

transferring the mail message with the encoded portions having a virus deleted; and

renaming the encode portions of the mail message containing a virus, and storing the renamed portions as files in a specified directory on the server and notifying a recipient of the renamed files and directory; and

writing the output of the determining step into the mail message in place of respective encoded portions that contain a virus to create a modified mail message and sending the modified mail message.

18. An apparatus for detecting viruses in data transfers between a first computer and a second computer, the apparatus comprising:

means for receiving a data transfer request including a destination address;

means for electronically receiving data at a server;

means for determining whether the data contains a virus at the server;

means for performing a preset action on the data using the server if the data contains a virus; and

means for sending the data to the destination address if the data does not contain a virus.

19. The apparatus of claim 18, wherein means for determining includes a means for scanning that scans the data using a signature scanning process.

20. The apparatus of claim 18, wherein the means for performing a preset action comprises:

means for transmitting the data unchanged;

means for not transmitting the data; and

means for storing the data in a file with a new name and notifying a recipient of the data transfer request of the new file name.

21. The apparatus of claim 18; further comprising:

a second means for determining whether the data is of a type that is likely to contain a virus; and

means for transmitting the data from the server to the destination without performing the steps of scanning, determining, performing and sending, if the data is not of a type that is likely to contain a virus.

22. The apparatus of claim 18, further comprising means for determining whether the data is being transferred into a first network by comparing the destination address to valid addresses for the first network.

Not a huge amount of difference there. The primary differences are: (a) original claims 1 and 2 were collapsed into a single claim 1, thus narrowing that first claim; (b) claim 9 was deleted in its entirety; (c) deleting claim 14 in its entirety; and (d) deleting claim 18 in its entirety.

So Trend Micro receives its patent on April 22, 1997 and immediately turns around and sues McAfee Associates on May 13, 1997 for patent infringement. That litigation goes on for over three years until July 2000 when it is dismissed with prejudice because of a settlement agreement reached between the parties.

Four years later, on May 5, 2004, Trend Micro decides to go after Fortinet, again claiming patent infringement. However, this suit also results in a settlement two years later in October 2006.

But Trend Micro kept pushing, and in 2006 they were making noises about the open source application ClaimAV. Here's Justin Mason's blog from that time. Barracuda Networks included ClaimAV in some of its enterprise solutions, and BN decided to bring a declaratory judgment action against Trend Micro and the '600 patent. You can read more about this in our story from 2008 and our story on Barracuda entering the fray. Late in 2008 Fortinet decided to join the fun and brought their own DJ action against Trend Micro despite the fact that they were a licensee under the '600 patent. So that sets the stage. What we are really interested in is what happened to this patent upon reexamination.

On June 1, 2010, Fortinet filed an ex parte reexamination request with the USPTO on the '600 patent [our earlier story on that]. That request [PDF], running 298 pages (which we are obviously not going to reproduce in its entirety in text format here because of its length) cited 11 significant items of prior art, all dating from more than two years prior to the filing of the application by Trend Micro. As stated in the introduction to the request:

Claims 1-22 (all claims) of the '600 patent are invalid under 35 U.S.C. §103(a) in view of the previously cited and uncited prior art references listed above. The references cited in this Request demonstrate the lack of novelty and obviousness of all claims (i.e., claims 1-22) of the '600 patent, thereby raising a number of substantial new questions of patentability which merit consideration by way of reexamination.

The '600 patent issued from an application filed on September 26, 1995. The '600 patent broadly claims a system, an apparatus and methods for detecting computer viruses during transmission over a network. The specification of the '600 patent describes a gateway computer consisting of: a prior art computer system, running a prior art operating system, such as Berkeley Software Distribution (BSD) UNIX, connecting two networks using prior art connection methods, providing prior art data transfer services, such as FTP and SMTP, via prior art proxy servers modified according to the teaching of the patent. In other words, the patent describes a basic and entirely routine network implementation. The specification also describes scanning for viruses, which was also in the prior art, at an intermediary node between computers or computer networks. The purportedly novel teaching of the patent application was simply the combination of a rudimentary and well known network implementation, with the addition of equally rudimentary and well known anti-virus scanning on a network gateway.

Independent claim 1 of the '600 patent is representative and instructive - demonstrating the obviousness over the prior art systems and publications presented herewith. Claim 1 broadly claims a system implemented on a proxy server for detecting viruses in data transfers—a system which performs the obvious steps of checking data to be transferred for the presence of a virus and performing various equally obvious actions depending on the result of the virus check. In a nutshell, this claim under the broadest reasonable construction arguably covers any anti-virus scanning performed by any network device. In fact, such a broad construction of the '600 patent has been openly adopted by applicant as part of its aggressive licensing program and associated litigation ("We [Trend] are litigating [with] Barracuda, who are selling a gateway and putting whatever type of AV, whether it's ClaimAV or Shophos [sic] of whomever's AV, on there. "In the ['600] patent, we are not claiming that we invented the antivirus scanner. We are not claiming that we invented the proxy server. But the concept of using these two together so that you can stop the virus during the transition [sic: transmission] is new.").

Clearly Fortinet and Barracuda did not think much of the '600 patent. The remainder of the request provided substantial detail as to why the patent should be invalidated in its entirety. It's worth noting that, in order to meet USPTO technical filing requirements for an ex parte reexamination, Fortinet had to resubmit its request. It did so on July 11, 2010, and in the corrected filing Fortinet cited more than 40 separate grounds for invalidating the various claims of the '600 patent.

The examiner reviewed the request, did an internal search for further prior art, and on September 16, 2010, rendered his decision by ordering the reexamination [our earlier story on the reexam order]. Here is the substance of that reexamination order [PDF]:

DECISION

1) A substantial new question of patentability affecting claims 1-22 of United States Patent Number 5,623,600 (Ji et al) is raised by the corrected request for ex parte reexamination filed 7/21/10.

Extensions of time under 37 CFR 1.136(a) will not be permitted in these proceedings because the provisions of 37 CFR 1.136 apply only to "an applicant" and not to parties in a reexamination proceeding. Additionally, 35 U.S.C. 305 requires that ex parte reexamination proceedings "will be conducted with special dispatch" (37 CFR 1.550(a)). Extensions of time in ex parte reexamination proceedings are provided for in 37 CFR 1.550(c).

References Cited in the Request

2) Requestor has cited eleven references in the request filed 7/21/10.
Cheswick (The Design of a Secure Internet Gateway)
Cheswick and Bellovin (hereafter CB) (Firewalls and Internet Security)
Layland (A Gateway to Internet Health and Happiness)
LANProtect (Intel LANProtect Product Documentation)
Sidewinder (Special Report: Secure Computing Corporation and Network Security)
TIS Firewall (TIS Firewall Toolkit Overview)
Hile (U.S. Pat 5,319,776)
TFS Manual (TFS Gateway)
MIMEsweeper (MIMEsweeper administrator guide)
MpScan (MpScan-Email Security)
SunScreen SPF-100 (Network Security SunScreen SPF-100)
Ten of these eleven references were not of record during the original prosecution of U.S. Pat 5,623,600, nor used in any previous rejection of the claims during the original examination. Hile was previously considered during examination.

Identification of Every Claim for Which Reexamination is Requested

3) The references above are discussed in the request regarding claims 1-22 of the Ji patent. Pages 2-282 of the corrected request detail out proposed substantial new questions of patentability in light of the eleven references cited above.

Substantial New Question of Patentability

4) During the original prosecution of the Ji patent, the original examiner issued a notice of allowability on 10/22/96 with no specific reasons for allowance. A claim amendment and arguments submitted on 9/24/96 therefore appear to have overcome the prior art of record. This amendment will be utilized to show why the newly cited references above do or do not create a substantial new question of patentability.

For purposes of determination, independent claims 1, 4 and 11 are used as representative claims for the various proposed prior art listed below. The italicized sections of the claims below are utilized by the examiner to show how specific teachings of the proposed references create a substantial new question of patentability in light of the original prosecution history above.

Claim 1:

A system for detecting and selectively removing viruses in data transfers, the system comprising:

a memory for storing data and routines, the memory having inputs and outputs, the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus;

a communications unit for receiving and sending data in response to control signals, the communications unit having an input and an output;

a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit; the processing unit having inputs and outputs; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit; the outputs of the processing unit coupled to the inputs of memory, the input of the communications unit, the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted;

a proxy server for receiving data to be transferred, the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses, the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred; and

a daemon for transferring data from the proxy server in response to control signals from the proxy server, the daemon having a control input, a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals, and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred.

Claim 4:

A computer implemented method for detecting viruses in data transfers between a first computer and a second computer, the method comprising the steps of:

receiving at a server a data transfer request including a destination address;

electronically receiving data at the server;

determining whether the data contains a virus at the server;

performing a preset action on the data using the server if the data contains a virus;

sending the data to the destination address if the data does not contain a virus;

determining whether the data is of a type that is likely to contain a virus; and transmitting the data from the server to the destination without performing the steps of determining whether the data contains a virus and performing a preset action if the data is not of a type that is likely to contain a virus.

Claim 11:

A computer implemented method for detecting viruses in a mail message transferred between a first computer and a second computer, the method comprising the steps of:

receiving a mail message request including a destination address;

electronically receiving the mail message at a server;

determining whether the mail message contains a virus, the determination of whether the mail message contains a virus comprising determining whether the mail message includes any encoded portions, storing each encoded portion of the mail message in a separate temporary file, decoding the encoded portions of the mail message to produced decoded portions of the mail message, scanning each of the decoded portions for a virus, and testing whether the scanning step found any viruses;

performing a preset action on the mail message if the mail message contains a virus; and

sending the mail message to the destination address if the mail message does not contains a virus.

Cheswick, CB, and LANProtect

5) Cheswick discloses a secure network configuration involving a pair of machines. CB discloses the proper use of firewalls to increase security on networked computers. LANProtect teaches server-based virus protection software.

The Request shows that the combination of Cheswick, CB and LANProtect, for claim 1, teaches a proxy server for receiving data to be transferred, the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses, the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred; and

a daemon for transferring data from the proxy server in response to control signals from the proxy server, the daemon having a control input, a data input and a data output the control to preset handing instructions and the presence of viruses, the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred; and a daemon for transferring data from the proxy server in response to control signals from the proxy server, the daemon having a control input, a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals, and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred (see Request claim mapping, pages 56-59).

Cheswick, CB and MIMEsweeper were not of record in the original prosecution of U.S. Pat 5,623,600.

It is agreed that the consideration of Cheswick, CB and MIMEsweeper raises an SNQ as to claims 1-22 of the Ji patent as pointed out above. There is a substantial likelihood that a reasonable examiner would consider these teachings important in deciding whether or not these claims are patentable.

Accordingly, Cheswick, CB and MIMEsweeper raise a substantial new question of claims 1-22, which question has not been decided in a previous examination of the Ji patent nor was there a final holding of invalidity by the Federal Courts regarding the Ji patent.

Cheswick, CB, and MIMEsweeper

6) Cheswick discloses a secure network configuration involving a pair of machines. CB discloses the proper use of firewalls to increase security on networked computers. MIMEsweeper discloses a mail filtering product for email gateways that protects networks from virus infection via email.

The Request shows that the combination of Cheswick, CB and MIMEsweeper, for claim 1, teaches a proxy server for receiving data to be transferred, the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset handing instructions and the presence of viruses, the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred; and

a daemon for transferring data from the proxy server in response to control signals from the proxy server, the daemon having a control input, a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals, and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred (see Request claim mapping, pages 56-59).

Cheswick, CB and MIMEsweeper were not of record in the original prosecution of U.S. Pat 5,623,600.

It is agreed that the consideration of Cheswick, CB and MIMEsweeper raises an SNQ as to claims 1-22 of the Ji patent as pointed out above. There is a substantial likelihood that a reasonable examiner would consider these teachings important in deciding whether or not these claims are patentable.

Accordingly, Cheswick, CB and MIMEsweeper raise a substantial new question of claims 1-22, which question has not been decided in a previous examination of the Ji patent nor was there a final holding of invalidity by the Federal Courts regarding the Ji patent.

CB, TIS Firewall and Sidewinder

7) CB discloses the proper use of firewalls to increase security on networked computers. TIS Firewall discloses a set of programs and configuration practices designed to facilitate the building of network firewalls. Sidewinder discloses that certain classes of data can be selectively prohibited from passing to and from the external network.

The Request shows that the combination of CB, TIS Firewall and Sidewinder, for claim 4, teaches determining whether the data is of a type that is likely to contain a virus; and transmitting the data from the server to the destination without performing the steps of determining whether the data contains a virus and performing a preset action if the data is not of a type that is likely to contain a virus (see Request claim mapping, pages 99-100).

CB, TIS Firewall and Sidewinder were not of record in the original prosecution of U.S. Pat 5,623,600.

It is agreed that the consideration of CB, TIS Firewall and Sidewinder raises an SNQ as to claims 1-22 of the Ji patent as pointed out above. There is a substantial likelihood that a reasonable examiner would consider these teachings important in deciding whether or not these claims are patentable.

Accordingly, CB, TISFirewall and Sidewinder raise a substantial new question of claims 1-22, which question has not been decided in a previous examination of the Ji patent nor was there a final holding of invalidity by the Federal Courts regarding the Ji patent.

LANProtect, TIS Firewall and TFS Manual

8) LANProtect teaches server-based virus protection software. TIS Firewall discloses a set of programs and configuration practices designed to facilitate the building of network firewalls. TFS Manual discloses a gateway that receives mail message requests using SMTP and other protocols.

The Request shows that the combination of LANProtect, TIS Firewall and TFS Manual, for claim 4, teaches determining whether the data is of a type that is likely to contain a virus; and transmitting the data from the server to the destination without performing the steps of determining whether the data contains a virus and performing a preset action if the data is not of a type that is likely to contain a virus (see Request claim mapping, pages 107-108).

LANProtect, TIS Firewall and TFS Manual were not of record in the original prosecution of U.S. Pat 5,623,600.

It is agreed that the consideration of LANProtect, TIS Firewall and TFS Manual raises an SNQ as to claims 1 -22 of the Ji patent as pointed out above. There is a substantial likelihood that a reasonable examiner would consider these teachings important in deciding whether or not these claims are patentable.

Accordingly, LANProtect, TIS Firewall and TFS Manual raise a substantial new question of claims 1-22, which question has not been decided in a previous examination of the Ji patent nor was there a final holding of invalidity by the Federal Courts regarding the Ji patent.

LANProtect, MIMEsweeper, Sidewinder and MpScan

9) LANProtect teaches server-based virus protection software. MIMEsweeper discloses a mail filtering product for email gateways that protects networks from virus infection via email. Sidewinder discloses that certain classes of data can be selectively prohibited from passing to and from the external network. MpScan discloses an e-mail content scanning firewall.

The Request shows that the combination of LANProtect, MIMEsweeper, Sidewinder and MpScan, for claim 11, teaches the determination of whether the mail message contains a virus comprising determining whether the mail message includes any encoded portions, storing each encoded portion of the mail message in a separate temporary fde, decoding the encoded portions of the mail message to produced decoded portions of the mail message, scanning each of the decoded portions for a virus, and testing whether the scanning step found any viruses; (see Request claim mapping, pages 147-148).

LANProtect, MIMEsweeper, Sidewinder and MpScan were not of record in the original prosecution of U.S. Pat 5,623,600.

It is agreed that the consideration of LANProtect, MIMEsweeper, Sidewinder and MpScan raises an SNQ as to claims 1-22 of the Ji patent as pointed out above. There is a substantial likelihood that a reasonable examiner would consider these teachings important in deciding whether or not these claims are patentable.

Accordingly, LANProtect, MIMEsweeper, Sidewinder and MpScan raise a substantial new question of claims 1-22, which question has not been decided in a previous examination of the Ji patent nor was there a final holding of invalidity by the Federal Courts regarding the Ji patent.

Sunscreen SPF-100 and Layland

10) Sunscreen SPF-100 discloses firewall protection and virtual private network support across public networks. Layland discloses an Internet gateway that subjects incoming files to a virus scan.

The Sunscreen SPF-100 and Layland references are utilized as secondary references in the request for claims that are dependent on independent claims. As the art above has raised an SNQ for at least independent claims 1, 4 and 11, the Sunscreen SPF-100 and Layland references raise a substantial new question of patentability in view of dependency.

Sunscreen SPF-100 and Layland were not of record in the original prosecution of U.S. Pat 5,623,600.

It is agreed that the consideration of Sunscreen SPF-100 and Layland raise an SNQ as to claims 1-22 of the Ji patent as pointed out above. There is a substantial likelihood that a reasonable examiner would consider these teachings important in deciding whether or not these claims are patentable.

Accordingly, Sunscreen SPF-100 and Layland raise a substantial new question of claims 1-22, which question has not been decided in a previous examination of the Ji patent nor was there a final holding of invalidity by the Federal Courts regarding the Ji patent.

Hile

11) Hile discloses storing data in a temporary file and scanning for viruses. Regarding claim 1, Hile, in combination with the art cited above, teaches scanning data for computer viruses during the data transfer "on the fly" and before the data is stored on a destination storage medium so as to prevent computer viruses from infecting the computer. Hile then automatically inhibits virus-infected data from being store (Hile, col. 1 lines 55-62). This teaching in combination with the art above appears to read on some aspects of claim 1, including scanning the data to be transferred for viruses.

Hile was of record in the original prosecution of U.S. Pat 5,623,600, and was actively used in rejections. However, Hile is now being presented in combination with the references above, which raise an SNQ themselves. Therefore, the combination of Hile with the newly proposed references in the request raises an SNQ.

It is agreed that the consideration of Hile in combination with the references above raises an SNQ as to claims 1-22 of the Ji patent as pointed out above. There is a substantial likelihood that a reasonable examiner would consider these teachings important in deciding whether or not these claims are patentable.

Accordingly, Hile in combination with the references above raises a substantial new question of claims 1-22, which question has not been decided in a previous examination of the Ji patent nor was there a final holding of invalidity by the Federal Courts regarding the Ji patent.

Scope of Reexamination

12) Claims 1-22 will be reexamined as requested in the Request. All eleven proposed references have raised an SNQ as pointed out above.

Now the examiner went to work in earnest, not merely considering the possibility that the prior art the Fortinet invited reconsideration of the patent claims, but actually applying that prior art and additional prior art that the examiner identified to reconsider each of the claims. On December 15, 2010, the examiner issued a first Non-Final Rejection [PDF] of all of the claims. This was followed on January 6, 2011, by a second Non-Final Rejection [PDF] that supplemented the first. Each of these non-final rejections runs more than 50 pages, so we will not attempt to reproduce them in text form here, but this observer has rarely seen a rejection containing such extensive citations. These were brutal.

On March 4, 2011, Trend Micro responded, first by amending its claims [PDF] and submitting a new application [PDF] and then by asserting its arguments [PDF] contesting the examiner's determination. Interestingly, Trend Micro didn't even pretend to narrow most of its claim; rather, they added some 15 new claims! Talk about unrepentant. Here are the amended claims Trend Micro was now seeking:

AMENDMENTS TO THE CLAIMS

[NB: Underlying below indicates new text added by the patent holder to amend the claims. Where text has been deleted, it is shown in brackets.]

1. (Amended). A system for detecting and selectively removing viruses in data transfers, the system comprising:

a memory for storing data and routines, the memory having inputs and outputs, the memory including a server for scanning data for a virus and specifying data handling actions dependent on an existence of the virus;

a communications unit for receiving and sending data in response to control signals, the communications unit having an input and an output; a processing unit for receiving signals from the memory and the communications unit and for sending signals to the memory and communications unit; the processing unit having inputs and outputs; the inputs of the processing unit coupled to the outputs of memory and the output of the communications unit; the outputs of the processing unit coupled to the inputs of memory, the input of the communications unit, the processor controlling and processing data transmitted through the communications unit to detect viruses and selectively transfer data depending on the existence of viruses in the data being transmitted;

a proxy server for receiving data to be transferred, the proxy server scanning the data to be transferred for viruses and controlling transmission of the data to be transferred according to preset [handing] handling instructions and the presence of viruses, the proxy server having a data input a data output and a control output the data input coupled to receive the data to be transferred; and

a daemon for transferring data from the proxy server in response to control signals from the proxy server, the daemon having a control input, a data input and a data output the control input of the daemon coupled to the control output of the proxy server for receiving control signals, and the data input of the daemon coupled to the data output of the proxy server for receiving the data to be transferred.

2. (Original). The system of claim 1, wherein the proxy server is a FTP proxy server that handles evaluation and transfer of data files, and the daemon is an FTP daemon that communicates with a recipient node and transfers data filesto the recipient node.

3. (Original). The system of claim 1, wherein the proxy server is a SMTP proxy server that handles evaluation and transfer of messages, and the daemon is an SMTP daemon that communicates with a recipient node and transfers messages to the recipient node.

4. (Original). A computer implemented method for detecting viruses in data transfers between a first computer and a second computer, the method comprising the steps of:

receiving at a server a data transfer request including a destination address;

electronically receiving data at the server;

determining whether the data contains a virus at the server;

performing a preset action on the data using the server if the data contains a virus;

sending the data to the destination address if the data does not contain a virus;

determining whether the data is of a type that is likely to contain a virus; and

transmitting the data from the server to the destination without performing the steps of determining whether the data contains a virus and performing a preset action if the data is not of a type that is likely to contain a virus.

5. (Original). The method of claim 4, further comprising the steps of storing the data in a temporary file at the server after the step of electronically transmitting; and wherein the step of determining includes scanning the data for a virus using the server.

6. (Original). The method of claim 5, wherein the step of scanning is performed using a signature scanning process.

7. (Original). The method of claim 4, wherein the step of performing a preset action on the data using the server comprises performing one step from the group of:

transmitting the data unchanged;

not transmitting the data; and

storing the data in a file with a new name and notifying a recipient of the data transfer request of the new file name.

8. (Amended). The method of claim 4, wherein the step of determining whether the data is of a type that is likely to contain a virus is performed by comparing an extension type of a file name for the data to a group [or] of known extension types.

9. (Original). The method of claim 4, further comprising the steps of:

determining whether the data is being transferred into a first network by comparing the destination address to valid addresses for the first network;

wherein the server is a FTP proxy server;

wherein the step of electronically receiving data comprises the steps of transferring the data from a client node to the FTP proxy server, if the data is not being transferred into the first network; and

wherein the step of electronically receiving data comprises the steps of transferring the data from a server task to an FTP daemon, and then from the FTP daemon to the FTP proxy server if the data is being transferred into the first network.

10. (Original). The method of claim 4, further comprising the steps of:
determining whether the data is being transferred into a first network by comparing the destination address to valid addresses for the first network;

wherein the server is a FTP proxy server;

wherein the step of sending the data to the destination address comprises transferring the data from the FTP proxy server to a node having the destination address, if the data is being transferred into the first network;and

wherein the step of sending the data to the destination address comprises transferring the data from the FTP proxy server to a FTP daemon, and then from an FTP daemon to a node having the destination address, if the data is not being transferred into the first network.

11. (Currently Amended) A computer implemented method for detecting viruses in a mail message transferred between a first computer and a second computer, the method comprising the steps of:
receiving a mail message request including a destination address;

electronically receiving the mail message at a server;

determining whether the mail message contains a virus, the determination of whether the mail message contains a virus comprising determining whether the mail message includes any encoded portions, storing each encoded portion of the mail message in a separate temporary file, decoding the encoded portions of the mail message to produced decoded portions of the mail message, scanning each of the decoded portions for a virus, and testing whether the scanning step found any viruses;

performing a preset action on the mail message if the mail message contains a virus; and

sending the mail message to the destination address if the mail message does not [contains] contain a virus.

12. (Original). The method of claim 11, wherein the step of determining whether the mail message includes any encoded portions searches for uuencoded portions.

13. (Currently Amended) A computer implemented method for detecting viruses in a mail message transferred between a first computer and a second computer, the method comprising the steps of:

receiving a mail message request including a destination address;

electronically receiving the mail message at a server;

scanning the mail message for encoded portions;

determining whether the mail message contains a virus;

performing a preset action on the mail message if the mail message contains a virus;

sending the mail message to the destination address if the mail message does not [contains] contain a virus; and

wherein the step of sending the mail message to the destination address is performed if the mail message does not contain any encoded portions; the server includes a SMTP proxy server and a SMTP daemon; and the step of sending the mail message comprises transferring the mail message from the SMTP proxy server to the SMTP daemon and transferring the mail message from the SMTP daemon to a node having an address matching the destination address.

14. (Original). The method of claim 11, wherein the step of determining whether the mail message contains a virus, further comprises the steps of:
storing the message in a temporary file;

scanning the temporary file for viruses; and

testing whether the scanning step found a virus.

15. (Original). The method of claim 11, wherein step of scanning is performed using a signature scanning process.

16. (Original). The method of claim 11, wherein the step of performing a preset action on the mail message comprises performing one step from the group of:

transferring the mail message unchanged;

not transferring the mail message;

storing the mail message as a file with a new name and notifying a recipient of the mail message request of the new file name; and

creating a modified mail message by writing the output of the determining step into the modified mail message and transferring the mail message to the destination address.

17. (Currently Amended). The method of claim 11, wherein the step of performing a preset action on the mail message comprises performing one step from the group of:
transferring the mail message unchanged;

transferring the mail message with the encoded portions having a virus deleted; and

renaming the [encode] encoded portions of the mail message containing a virus, and storing the renamed portions as files in a specified directory on the server and notifying a recipient of the renamed files and directory; and

writing the output of the determining step into the mail message in place of respective encoded portions that contain a virus to create a modified mail message and sending the modified mail message.

18. (Original). An apparatus for detecting viruses in data transfers between a first computer and a second computer, the apparatus comprising:
means for receiving a data transfer request including a destination address;

means for electronically receiving data at a server;

means for determining whether the data contains a virus at the server;

means for performing a preset action on the data using the server if the data contains a virus; and means for sending the data to the destination address if the data does not contain a virus.

19. (Original). The apparatus of claim 18, wherein means for determining includes a means for scanning that scans the data using a signature scanning process.

20. (Original). The apparatus of claim 18, wherein the means for performing a preset action comprises:

means for transmitting the data unchanged;

means for not transmitting the data; and

means for storing the data in a file with a new name and notifying a recipient of the data transfer request of the new file name.

21. (Original). The apparatus of claim 18; further comprising:
a second means for determining whether the data is of a type that is likely to contain a virus; and

means for transmitting the data from the server to the destination without performing the steps of scanning, determining, performing and sending, if the data is not of a type that is likely to contain a virus.

22. (Original). The apparatus of claim 18, further comprising means for determining whether the data is being transferred into a first network by comparing the destination address to valid addresses for the first network.

23. (New). A computer implemented method for detecting viruses in a mail message transferred between a first computer and a second computer, comprising:

receiving a mail message request including a destination address;

electronically receiving the mail message at a server;

determining whether the mail message contains a virus, the determination of whether the mail message contains a virus comprising (i) determining whether the mail message includes any encoded portions, (ii) storing each encoded portion of the mail message in a separate temporary file, (in) decoding the encoded portions of the mail message to produce decoded portions of the mail message, (iv) scanning each of the decoded portions for a virus, (v) scanning each unencoded portion of the mail message for a virus, (vi) determining if any of the decoded portions of the mail message contain a virus, and (vii) determining if the unencoded portions of the mail message contain a virus;

performing a preset action on the mail message if any of the decoded portions of the mail message contain a virus or if the unencoded portions of the mail message contain a virus; and

sending the mail message to the destination address if the mail message does not contain a virus.

24. (New) A computer implemented method for detecting viruses in a mail message transferred between a first computer and a second computer, comprising:
receiving a mail message request including a destination address;

electronically receiving the mail message at a server;

determining whether the mail message includes any encoded portions;

storing each encoded portion of the mail message in a separate temporary file;

decoding the encoded portions of the mail message to produce decoded portions of the mail message;

scanning each of the decoded portions for a virus;

testing whether the scanning step found any viruses; and

performing one of i) a preset action on the mail message if the mail message contains a virus; ii) sending the mail message to the destination address without first scanning the mail message for viruses if the mail message does not contain any encoded portions; and iii) sending the mail message to the destination address if the encoded portions of the mail message do not contain a virus.

25. (New). The method of claim 24, wherein performing a preset action on the mail message comprises creating a modified mail message without any viruses and transferring the mail message to the destination address.

26. (New) The method of claim 24, wherein the performing a preset action on the mail message comprises transferring the mail message with the encoded portions having a virus deleted.

27. (New). A computer implemented method for detecting viruses in all mail messages transferred between a first computer and a second computer, comprising:

receiving a mail message request including a destination address;

electronically receiving the mail message at a server;

determining for all messages received at the server whether the mail message contains a virus, the determination of whether the mail message contains a virus comprising (i) determining whether the mail message includes any encoded portions, (ii) storing each encoded portion of the mail message in a separate temporary file, (iii) decoding the encoded portions of the mail message to produce decoded portions of the mail message, (iv) scanning each of the decoded portions for a virus, (v) scanning each unencoded portion of the mail message for a virus, (vi) determining if any of the decoded portions of the mail message contain a virus; and (vii) determining if the unencoded portions of the mail message contain a virus;

performing a preset action on the mail message if any of the decoded portions of the mail message contain a virus or if the unencoded portions of the mail message contain a virus; and

sending the mail message to the destination address if the mail message does not contain a virus.

28. (New). A computer implemented method for detecting viruses in all mail messages transferred between a first computer and a second computer, comprising:
receiving a mail message request including a destination address;

electronically receiving the mail message at a server;

determining for all mail messages received at the server whether the mail message includes any encoded portions;

storing each encoded portion of the mail message in a separate temporary file;

decoding the encoded portions of the mail message to produce decoded portions of the mail message;

scanning each of the decoded portions for a virus;

testing whether the scanning step found any viruses; and

performing at least one of i) a preset action on the mail message if the mail message contains a virus, ii) sending the mail message to the destination address without first scanning the mail message for viruses if the mail message does not contain any encoded portions, and iii) sending the mail message to the destination address if the encoded portions of the mail message do not contain a virus.

29. (New). The method of claim 28, wherein performing a preset action on the mail message comprises creating a modified mail message without any viruses and transferring the mail message to the destination address.

30. (New). The method of claim 28, wherein the performing a preset action on the mail message comprises transferring the mail message with the encoded portions having a virus deleted.

31. (New). A computer implemented method for detecting viruses in a mail message transferred between a first computer and a second computer, comprising:

receiving a mail message request including a destination address;

electronically receiving the mail message at a server, wherein the server includes a Simple Mail Transfer Protocol (SMTP) proxy server and a SMTP daemon;

determining if the mail message has encoded portions;

scanning, subsequent to the determining, the encoded portions of the mail message for a virus;

performing at least one of i) a preset action on the mail message if one or more of the encoded portions of the mail message contains a virus; ii) sending the mail message to the destination address without carrying out the determining step if the mail message does not contain an encoded portion; and iii) sending the mail message to the destination address if the encoded portion of the mail message does not contain a virus; and wherein sending the mail message comprises transferring the mail message from the SMTP proxy server to the SMTP daemon and transferring the mail message from the SMTP daemon to a node having an address matching the destination address.

32. (New). The method of claim 31. wherein performing a preset action on the mail message comprises creating a modified mail message without any viruses and transferring the mail message to the destination address.

33. (New). The method of claim 31. wherein the performing a preset action on the mail message comprises transferring the mail message with the encoded portions having a virus deleted.

34. (New). A computer implemented method for detecting viruses in all mail messages transferred between a first computer and a second computer, comprising:

receiving a mail message request including a destination address;

electronically receiving the mail message at a server, wherein the server includes a Simple Mail Transfer Protocol (SMTP) proxy server and a SMTP daemon;

determining if the mail message has an encoded portion;

scanning each mail message for a virus;

performing a preset action on the mail message if the mail message contains a virus; and

sending the mail message to the destination address if either the mail message does not contain a virus or the mail message does not contain any encoded portions, wherein the sending comprises transferring the mail message from the SMTP proxy server to the SMTP daemon and transferring the mail message from the SMTP daemon to a node having an address matching the destination address.

35. (New). A computer implemented method for detecting viruses in data transfers between a first computer, a server comprising a proxy server, and a second computer, the computer implemented method comprising:
transmitting, by the first computer, a data transfer request including a destination address of the second computer:

receiving at the server the data transfer request and the destination address;

electronically receiving data at the server in response to the data transfer request;

determining, by the proxy server, whether the data contains a virus, wherein the server utilizes a protocol layer hierarchy that includes an application layer, and wherein the proxy server resides below the application layer and detection of a virus by the proxy server occurs below the application layer;

performing, by the server, a preset action on the data if the data contains a virus;

sending the data to the destination address of the second computer if the data does not contain a virus;

determining, by the proxy server, whether the data is of a type that is likely to contain a virus: and transmitting the data, in response to the data transfer request, from the server to the destination of the second computer without determining whether the data contains a virus and without performing a preset action if the data is not of a type that is likely to contain a virus.

36. (New). A computer implemented method for detecting viruses, comprising:
receiving, at a server comprising a proxy server, a data transfer request, data, and a destination address;

determining, by the proxy server, whether the data contains a virus, wherein the server utilizes a protocol layer hierarchy that includes an application layer, and wherein the proxy server and detection of a virus by the proxy server occurs below the application layer;

performing, by the server, a preset action on the data if the data contains a virus;

sending the data to the destination address if the data does not contain a virus;

determining, by the proxy server, whether the data is of a type that is likely to contain a virus; and

transmitting the data from the server to the destination address without determining whether the data contains a virus and without performing a preset action if the data is not of a type that is likely to contain a virus.

37. (New). The method of claim 11, wherein the step of performing a preset action on the mail message comprises creating a modified mail message by writing the output of the determining step into the modified mail message and transferring the mail message to the destination address.

The arguments that Trend Micro used to refute the examiner's assertions were forceful, but in the end they were not well taken by the examiner. On April 12, 2011, the examiner held an interview to discuss the reexamination position of the USPTO with Trend Micro. While this may have served to allow a more direct communication about the prior art and the USPTO's contentions, any positions taken by Trend Micro did not materially sway the examiner.

On May 19 of this year the examiner issued a Final Rejection [PDF], denying all of the claims in the '600 patent, except claims 10 and 13, including those claims that Trend Micro proposed to add through amendment. So out of 22 original claims and 15 added claims, Trend Micro now is left with just two claims. Of course, this is still not the end. Trend Micro has two months in which to respond to this Final Rejection, and even after that point it will have further avenues of appeal. However, the evidence mounted against the '600 patent is substantial and will not be easily overcome.


  


Anatomy of a Dying Patent - The Reexamination of Trend Micro's '600 Patent | 132 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Corrections here.
Authored by: entre on Monday, June 13 2011 @ 09:22 PM EDT
If needed.

[ Reply to This | # ]

Can't open Final Rejection
Authored by: mattflaschen on Monday, June 13 2011 @ 09:26 PM EDT
I can't open the Final Rejection in either Okular or xpdf.

[ Reply to This | # ]

off topic here
Authored by: designerfx on Monday, June 13 2011 @ 10:36 PM EDT
please include a link if appropriate

[ Reply to This | # ]

news picks here
Authored by: designerfx on Monday, June 13 2011 @ 10:37 PM EDT
please include link to newspick if this is the first post on
it

[ Reply to This | # ]

comes thread
Authored by: designerfx on Monday, June 13 2011 @ 10:37 PM EDT
please provide in plain old text but with all HTML formatting
listed out

[ Reply to This | # ]

Anatomy of a Dying Patent - The Reexamination of Trend Micro's '600 Patent
Authored by: kjs on Tuesday, June 14 2011 @ 12:06 AM EDT
Let's look at it from a different point of view:

this patent did exactly what a US patent is supposed to do! First it generated
income for some patent lawyers to generate the filing. Then it generated income
for the USPTO. After this it generated money for lawyers when they forced
licenses on some companies which preferred to settle and license.
Now it generates a lot of income for lawyers and USPTO in the re-examination all
in the name of being just and fair.

The biggest winners are the lawyers as the system was designed for and there's
no reason to complain as both the filing company as well as the the USPTO made
their fair share in income too.

The only losers are the 401k owners which finance a good portion of the US stock
market (wasn't that a brilliant idea?) as without these things companies could
make more profit and actually generate some money for retirement. But who cares
about these suckers...... The money ended up where it's supposed to.

>kjs

[ Reply to This | # ]

Worthless antivirus technique
Authored by: tiger99 on Tuesday, June 14 2011 @ 07:57 AM EDT
I don't think that this patent was of any practical use. I have a similar opinion about the products of the company in question, and indeed much of the antivirus industry....
10. The method of claim 9 wherein the step of determining whether the data is of a type that is likely to contain a virus is performed by comparing an extension type of a file name for the data to a group of known extension types.
Clearly aimed at Windoze, which tends to interpret the file suffix as an infallible indication of the type of file. I seem to recall that in the past much malware has made use of that by pretending to be some kind of harmless file.

The *nix way is much better, you identify the file type by, firstly, its magic number (the first few bytes), and secondly, by more detailed examination of the contents. I don't have it to hand, but the source of the "file" command should reveal how to do it quite comprehensively.

[ Reply to This | # ]

Patents like this should be rejected, even without looking at prior art
Authored by: Anonymous on Tuesday, June 14 2011 @ 08:32 AM EDT
This patent describes a "system for detecting and selectively
removing/viruses in data transfers", and gives a high level overview of the
requirements for such a system. Requirements I call it, I would hardly call this
a design or an invention, you can get this far in one or two brainstorm
sessions. This is just a start.

Translating it to the patent language was probably much more work than thinking
of the technical details, which are largely left unspecified ("means for
..."), and would be implemented using existing building blocks anyway (this
isn't a patent for a virus scanner or a mail server or a computer, just for a
way to use them).

A while ago I read a blog (it may have been a Groklaw newspick) by a patent
lawyer who demonstrated that software patents were serious inventions by showing
a flow chart. He was impressed with its complexity, or perhaps pretended he was.
I thought the same thing I think now: nothing out of the ordinary here, I used
to do this all the time in some form or other.

I worked in IT for about 23 years. Designing, building and maintaining systems
with this level of complexity was as normal as baking bread is for a baker. I
can imagine that without the general availability of computers far fewer people
would be building complex systems and far fewer complex systems would exist. The
patent system assumes a level of scarcity that doesn't exist in this field.

Patents should only be granted for something exceptional, if at all, not for
something that is a daily routine for so many. Monopolies on ordinary things are
just plain wrong.

[ Reply to This | # ]

So what is left?
Authored by: DaveJakeman on Tuesday, June 14 2011 @ 08:38 AM EDT
Claims 10 and 13. Let's look at Claim 13:
13. A computer implemented method for detecting viruses in a mail message transferred between a first computer and a second computer, the method comprising the steps of:
receiving a mail message request including a destination address; electronically receiving the mail message at a server; scanning the mail message for encoded portions; determining whether the mail message contains a virus;

performing a preset action on the mail message if the mail message contains a virus;

sending the mail message to the destination address if the mail message does not contains a virus; and

wherein the step of sending the mail message to the destination address is performed if the mail message does not contain any encoded portions; the server includes a SMTP proxy server and a SMTP daemon; and the step of sending the mail message comprises transferring the mail message from the SMTP proxy server to the SMTP daemon and transferring the mail message from the SMTP daemon to a node having an address matching the destination address.

Isn't Claim 13 a summary of the patent?

There's some stuff tacked on the end which has more to do with SMTP relay than virus scanning. Is this a patent on SMTP relay too? If not, why is that in there?

I think the patent examiner was out of his depth, didn't recognise that stuff about SMTP relay, thought it was a new or novel antivirus technique and let it through, when it's merely what the antivirus scanner does when it doesn't detect a virus, ie, let the message through. All that guff about SMTP could be written as "let the message through". Instead, it's dressed in Emperor's clothes so as to bedazzle.

If Claim 13 is allowed to stand, couldn't Trend Micro carry on trolling?

[ Reply to This | # ]

Anatomy of a Dying Patent - The Reexamination of Trend Micro's '600 Patent
Authored by: Anonymous on Tuesday, June 14 2011 @ 10:27 AM EDT
"Of course, this is still not the end. Trend Micro has two months in which
to respond to this Final Rejection, and even after that point it will have
further avenues of appeal. "

To me this is one of the reasons why the system is broke. Why so many appeals
and options to respond.

It is obvious the patent is bad lets move on.

[ Reply to This | # ]

This story demonstrates just how broken the USPTO and the U.S. legal system have become.
Authored by: sgtrock on Tuesday, June 14 2011 @ 10:28 AM EDT
This is insane behavior! Everything that Trend Micro has attempted to patent
was obvious to a person skilled in the art. And yet, here we are, 16 YEARS
after the initial submission, still paying lawyers to retard economic growth.

What is wrong with us??? How come we can't get people elected to resolve this?

The answer, unfortunately, is obvious. Our elected bodies are now almost
thoroughly in the pockets of wealthy sociopaths who care nothing for the rest of
us. That rot has spread to SCOTUS, too, or we would never have seen the
decision which allows unlimited foreign funding in our election campaigns.

"Justice delayed is justice denied."

Our legal system is demonstrating this truth over and over and over again. :(

I'm half tempted to urge my kids to emigrate back to Europe. At least some
countries there seem to have a more sane legal climate than we do.

[ Reply to This | # ]

Egad
Authored by: Anonymous on Tuesday, June 14 2011 @ 10:30 AM EDT
How can the examiner even think that, for example, claim 10
is valid??????

There is no way that any part of this patent would honestly
pass the obviousness test to any normal programmer. It's
not even complicated enough to count as a senior project.

The problems are 1) incompetent examiners and, more
importantly, 2) incompetent, corrupt judges. The CAFC
ruling that "obvious" == "published" must be overruled. If

not by the SCOTUS clowns, then by the Congress.
Unfortunately, I think both bodies are currently far too
corrupt to do anything about it.

[ Reply to This | # ]

  • very true but you forgot... - Authored by: Anonymous on Tuesday, June 14 2011 @ 12:15 PM EDT
  • Egad - Authored by: PJ on Tuesday, June 14 2011 @ 01:24 PM EDT
    • Egad - Authored by: J.F. on Tuesday, June 14 2011 @ 02:45 PM EDT
      • Egad - Authored by: maroberts on Tuesday, June 14 2011 @ 03:57 PM EDT
        • Egad - Authored by: rcsteiner on Tuesday, June 14 2011 @ 04:33 PM EDT
      • Egad - Authored by: dio gratia on Tuesday, June 14 2011 @ 05:07 PM EDT
        • Egad - Authored by: J.F. on Wednesday, June 15 2011 @ 05:15 AM EDT
        • Egad - Authored by: Imaginos1892 on Wednesday, June 15 2011 @ 01:06 PM EDT
        • Egad - Authored by: rcsteiner on Wednesday, June 15 2011 @ 05:39 PM EDT
    • Egad - Authored by: rcsteiner on Tuesday, June 14 2011 @ 04:22 PM EDT
Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details ) 		Site layout based on Woodlands theme by Bryan Bell.
Groklaw logo by John Crowley.
News Picks logo by Ted Thompson.
Powered By GeekLog
Created this page in 0.04 seconds