Applying antimalware logic without revealing the antimalware logic to adversaries

Abstract

The subject disclosure is directed towards a technology by which antimalware detection logic is maintained and operated at a backend service, with which a customer frontend machine communicates (queries) for purposes of malware detection. In this way, some antimalware techniques are maintained at the backend service rather than revealed to antimalware authors. The backend antimalware detection logic may be based upon feature selection, and may be updated rapidly, in a manner that is faster than malware authors can track. Noise may be added to the results to make it difficult for malware authors to deduce the logic behind the results. The backend may return results indicating malware or not malware, or return inconclusive results. The backend service may also detect probing-related queries that are part of an attempt to deduce the unrevealed antimalware detection logic, with noisy results returned in response and/or other actions taken to foil the attempt.