Patent attributes
In an embodiment, systems and methods for detecting malware are provided. A server trains a static malware model and a dynamic malware model to detect malware in files. The models are distributed to a plurality of user devices for use by antimalware software executing on the user devices. When a user device receives a file, the static malware model is used to determine whether the file contains malware. If the static malware model is unable to make the determination, when the file is later executed, the dynamic malware model is used to determine whether the file contains malware. The file along with the determination made by the dynamic malware model are then provided to the server. The server then retrains the static malware model using the received files and the received determinations. The server then distributes the updated static malware model to each of the devices.