DETAILED ACTION
This Office Action is in response to the communication filed on 05/12/2021.
The objections to claims 5-12, 14-15, 17, and 20 have been withdrawn in view of amendments and cancelations of the claims. 
The rejection of claim 20 under 35 U.S.C. 101 has been withdrawn in view of amendments of the claim. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Terminal Disclaimer
The terminal disclaimer filed on 05/12/2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of Patent number 9,325,735 and 10,257,221 has been reviewed and is accepted. The terminal disclaimer has been recorded.
Examiner's Amendment
An Examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicants, an amendment may be 
Authorization for this Examiner's amendment was given in a discussion with Obert H. Chu (Reg. No. 52,744) on 05/20/2021.
The application has been amended as follows:
Claim 5: (Canceled).
Claim 6: (Canceled).
Claim 7: (Canceled).
Claim 15: 
	Line 8: delete "the following"
Claim 17: 
	Line 5: replace "the host" with --the particular host--
Allowable Subject Matter
Claims 1-2, 4, and 9-20 are allowed.
The following is an examiner's statement of reasons for allowance:
Regarding independent claim 1: None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in claim 1: "wherein the cloud security service receives one 
Regarding independent claim 19: None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in claim 19: "wherein the cloud security service receives one or more samples from one or more of the plurality of security devices, wherein the cloud security service automatically analyzes at least one sample of the one or more samples by monitoring network activity during emulation of the at least one sample of the one or more samples to identify one or more bad network domains that the at least one sample of the one or more samples attempts to connect to during the emulation, wherein the first security device of the plurality of security devices is configured to sinkhole at least one of the one or more bad network domains to implement selective sinkholing of malware domains by the first security device via DNS poisoning, and wherein the first security device includes a firewall;" "generating a DNS query response to the DNS query to send to the local DNS server, wherein the DNS query response includes a time to live (TTL) set to a predetermined period of time, the predetermined period of time being set to a value to allow subsequent queries from local hosts to the local DNS server for the bad network domain to result in a local DNS server cache miss and corresponding 
Regarding independent claim 20: None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in claim 20: "wherein the cloud security service receives one or more samples from one or more of the plurality of security devices, wherein the cloud security service automatically analyzes at least one sample of the one or more samples by monitoring network activity during emulation of the at least one sample of the one or more samples to identify one or more bad network domains that the at least one sample of the one or more samples attempts to connect to during the emulation, wherein the first security device of the plurality of security devices is configured to sinkhole at least one of the one or more bad network domains to implement selective sinkholing of malware domains by the first security device via DNS poisoning, and wherein the first security device includes a 
Regarding dependent claims: Dependent claims are allowed as they depend from allowable independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
Conclusion

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service 






/AMIE C. LIN/Primary Examiner, Art Unit 2436