McAfee Inc v. Cap Co Ltd

1. Case Identification

• Case #: IPR2016-00214
• Patent #: RE44,249
• Filed: November 18, 2015
• Petitioner(s): McAfee, Inc.
• Patent Owner(s): CAP Co., Ltd.
• Challenged Claims: 40-46 and 48-53

2. Patent Overview

• Title: Methods for Blocking Harmful Information Online
• Brief Description: The ’249 patent describes a system for protecting a client computer from viruses and other harmful information. The technology involves automatically downloading, installing, and executing an antivirus protection module that inspects file input/output (I/O) in real-time to block threats before a file is executed.

3. Grounds for Unpatentability

Ground 1: Obviousness over Hodges and Butt - Claims 40-42, 44, 46, and 48-50, 53 are obvious over Hodges in view of Butt.

• Prior Art Relied Upon: Hodges (Patent 6,035,423) and Butt (Patent 6,728,964).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that the combination of Hodges and Butt rendered the core invention obvious. Hodges taught a system for automatically delivering updated antivirus software and virus signature files from a central server to a client computer over a network and then automatically executing the updates. This disclosed the claimed automatic delivery and execution of a "harmful information blocking code module." Butt taught a method for real-time virus detection by using a dynamic linked library (DLL) to "hook" or intercept an operating system’s file I/O routines (e.g., OpenFile()). This interception allowed a virus scan engine to inspect a file for threats before the file was executed. If a virus was found, Butt disclosed taking remedial action, such as cleaning the file, deleting it, or aborting the file I/O routine (denying access). Petitioner contended this combination taught the central limitations of independent claims 40 and 48, including inspecting file I/O by intercepting routines and aborting execution if a file is harmful and cannot be treated.
  • Motivation to Combine: Petitioner asserted a POSITA would combine these references to solve a known problem: the need for proactive, up-to-date antivirus protection. Hodges provided an improved automated delivery mechanism for the latest antivirus software, while Butt provided an improved real-time detection method. Combining Butt's on-access scanning technique with Hodges's automated update system was a predictable, common-sense improvement to ensure client computers had the latest and most effective protection.
  • Expectation of Success: A POSITA would have a reasonable expectation of success because both references described technologies implemented in common computing environments (e.g., Windows) and addressed complementary aspects of antivirus protection (delivery and detection), making their integration straightforward.

Ground 2: Obviousness over Hodges, Butt, and Kephart - Claims 43 and 51 are obvious over Hodges and Butt in view of Kephart.

• Prior Art Relied Upon: Hodges (Patent 6,035,423), Butt (Patent 6,728,964), and Kephart (a 1997 conference proceeding titled "Blueprint for a Computer Immune System").
• Core Argument for this Ground:
  • Prior Art Mapping: This ground built upon the Hodges and Butt combination to address dependent claims 43 and 51, which added the limitation of transmitting a harmful file to a web server if it is determined that the file cannot be treated. While Hodges and Butt taught detecting and treating known viruses, Petitioner argued they did not explicitly address how to handle novel, previously unknown viruses for which no treatment existed. Kephart disclosed an "immune system" for computers that, upon detecting a potential new virus, would capture a sample (which could include the infected file), and transmit it to a central computer for analysis to develop a new "prescription" (i.e., a cure or treatment).
  • Motivation to Combine: A POSITA would combine Kephart with the system of Hodges and Butt to address the well-known problem of zero-day or untreatable viruses. Adding Kephart's mechanism for analyzing new threats provided a logical next step for a comprehensive antivirus system, allowing it to adapt to new viruses that the existing definitions in Hodges and Butt could not handle.

Ground 3: Obviousness over Hodges, Butt, and Freund - Claims 45 and 52 are obvious over Hodges and Butt in view of Freund.

• Prior Art Relied Upon: Hodges (Patent 6,035,423), Butt (Patent 6,728,964), and Freund (Patent 5,987,611).
• Core Argument for this Ground:
  • Prior Art Mapping: This ground targeted dependent claims 45 and 52, which added limitations related to inspecting network packet I/O and aborting an internal process supporting a harmful network packet. The base combination of Hodges and Butt focused on file-level I/O. Freund disclosed a client-side monitor that intercepted and inspected all TCP/IP network communications to enforce access rules. If a rule was violated (e.g., accessing a malicious website), Freund taught taking remedial action, including terminating the communication or the associated process.
  • Motivation to Combine: A POSITA would combine Freund's network-level protection with the file-level protection of Hodges and Butt to create a more robust, multi-layered security solution. As network-based threats were a known vector for malware, adding network packet inspection was a predictable way to enhance the overall security of the system. Freund itself disclosed combining network and file activity monitoring, providing an explicit motivation.

4. Key Claim Construction Positions

• "harmful information blocking code module": Petitioner argued this term should be construed as "an executable program that blocks harmful information." This construction was based on the specification's repeated description of the module as a "program" and the claims' requirement that the module be "executed," which Petitioner contended only an executable program can do, not any form of "digital information."
• "I/O data of at least one file I/O routine": Petitioner proposed this means "file information accessed by one or more file I/O routines." This construction links the intercepted I/O data directly to the file being accessed, consistent with the patent's description of "hooking up file I/O routines" to "get file information."
• Preamble of Claim 48: Petitioner argued the preamble of independent claim 48 is limiting. Unlike the preamble of claim 40, claim 48's preamble provided essential antecedent basis and limitations (e.g., the relationship between the client and server) not found in the body of the claim, giving it "life, meaning, and vitality."

5. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 40-46 and 48-53 of the ’249 patent as unpatentable under 35 U.S.C. §103.