Ex parte Finjan, Inc.
Appeal 2011003035; Reexam 90/008,684; Tech. Center 3900
Decided June 6, 2011
The patent under ex parte reexamination involved virus protection software. A representative independent claim read:
1. A computer-based method, comprising:
monitoring the operating system during runtime for an event caused from a request made by a Downloadable;
interrupting processing of the request;
comparing information pertaining to the Downloadable against a predetermined security policy; and
performing a predetermined responsive action based on the comparison, the predetermined responsive action including storing results of the comparison in an event log.
During the reexam, the Examiner rejected claim 1 as anticipated by a non-patent reference (Rx PC - The Anti-Virus Handbook) which described a software package ("Virex PC") containing two anti-virus programs, VPCScan and VirexPro. The Patentee responded by arguing that several of the claim elements were not taught by the reference – and submitted declaration evidence to supplement these arguments.
One of the elements argued on appeal by the Patentee was the "monitoring" element. The Patentee argued in the Appeal Brief that Virex monitored a user-selected target file rather than the operating system. More specifically, the Patentee argued that Virex "sat in front of" a user-selected target file to intercept all requests associated with this file – regardless of which executable made the request. The Patentee contrasted this with claim 1, which described "monitoring all requests from Downloadable [files] to the operating system, not just requests to particular files." (Emphasis in original.) The Patentee then referred to the expert declaration to provide more technical detail about the workings of Virex:
In order to monitor the operating system for events caused by requests from Downloadables as required by the claims, requests to both selected and non-selected files and file types must be monitored. Per the expert affidavit of Dr. Giovanni Vigna (Paragraph 4), file-based Virex and VirexPRO did not and could not monitor an entire operating system for a requested action or resulting event from a requesting file or program (hereafter "virus file"), the Virex programs could only monitor actions to be taken on pre-determined target files. More particularly, the Virex programs hijack the response routine of specific software interrupts. By doing this, they are able to monitor only a subset of the operations that can be performed by a program (that is, those that are associated with the software interrupt), and, as a result, they are not capable of monitoring the operating system in a comprehensive fashion.
In the Answer, the Examiner responded to the Patentee's arguments. In response to the Patentee's assertion that Virex did not monitor the operating system, the Examiner cited to teachings in the Handbook that Virex monitored requests for disk formatting and requests for disk reads and write. According to the Examiner, "detecting these activities requires that Virex monitor subsystems of the operating system such as the file system, memory system, network system, and run-time execution system." In response to the Patentee's assertion that Virex monitored only user-selected files, the Examiner clarified that the rejection relied on teachings about installation. The Examiner explained that Virex's installation options allowed the user to select all files (via a wildcard ). With this option chosen, Virex would then monitor all files, i.e. "an entire operating system", at runtime.
The Patentee filed a Reply Brief to rebut points in the Examiner's Answer. According to the Patentee, "protecting every file on the computer is not the same as monitoring the operating system." Having the user "manually select every file or extension" is "incredibly inefficient and substantively different from monitoring the operating system" since "if any new files or extensions are added to the computer then the user would need to manually select those files."The Patentee then characterized user selection of every file on the computer as "a construction of the Examiner" that is "not mentioned in [the Handbook]." As for the Examiner's reliance on the teachings about disk formatting and disk reads/writes, "the 'features' are never described in any detail and [the Handbook] does not disclose anything about how these features are performed."
The Board affirmed the anticipation rejection. With regard to the Patentee's "monitoring" argument, the Board referred to the Handbook in making these findings of fact: Virex continuously monitored a computer system which included an operating system; and Virex created an alert when an attempt was made to perform tasks such as executing a program. The Board then drew the following conclusion:
Since [Virex] continuously monitors a computer system that includes an operating system for an “event” (e.g., an attempt to run a program or an attempt to terminate and stay resident – the attempt being a “request” for an event), we agree with the Examiner that Endrijonas discloses monitoring the operating system of the computer system for the event as recited in claim 1.
The Board explained why the Patentee's arguments were unpersuasive:
Appellant does not sufficiently demonstrate any differences between the [Virex program] continuously monitoring the computer system (including the operating system contained therein) for an event (e.g., an attempt to run a program or an attempt to terminate and stay resident) and the claimed feature of monitoring the operating system for an event. Nor do we identify any differences since in both cases, a computer system and operating system of the computer system are being monitored for an event.
Postscript: The Patentee appealed to the Federal Circuit. But the appeal involved another issue (whether or not the Virus Handbook was an enabling reference) so that Fed. Cir. stayed the appeal pending decision on another case on the presumption of enablement for non-patent references, In re Antor Media. Antor was decided in Aug. 2012, but no decision has been issued yet in In re Finjan.
My two cents: Right result. Bad reasoning.
The Board's simplistic reasoning was based on the unsupportable premise that performing an action on a whole implies performing the action on the components of the whole. Probably true in some contexts, but it's hardly a general truth. Does "painting a house" mean painting: 1) the exterior; 2) the exterior and the interior; 3) exterior, interior, and contents of the house; 4) exterior including the window panes and shingles on the roof? Generally, we mean #1. Maybe #2. #3 and #4 are unlikely choices.
In this case, "monitoring a computer system" might mean monitoring only the hardware components, or might mean monitoring only the software application components, or might mean monitoring only the operating system. I'm inclined to say that the Virus Handbook was talking about monitoring the operating system, since the entity that provides services for detecting actions like file access and program execution is usually referred to as an "operating system." But my point is that I reached that conclusion from the specific teachings of the reference, as understood by a POSITA –not from a premise that actions on a system applying to all components of the system.