Clients send telemetry data to a cloud server, where the telemetry data includes security-related information such as file creations, timestamps and malware detected at the clients. The cloud server analyzes the telemetry data to identify malware that is currently spreading among the clients. Based on the analysis of the telemetry data, the cloud server segments malware definitions in a cloud definition database into a set of local malware definitions and a set of cloud malware definitions. The cloud server provides the set of local malware definitions to the clients as a local malware definition update, and replies to cloud definition lookup requests from clients with an indication of whether a file identified in a request contains malware. If the file is malicious, the client remediates the malware using local malware definition update.