A malware detection rule is evaluated for effectiveness and accuracy. The detection rule defines criteria for distinguishing files having a characteristic of interest from other files lacking that characteristic, for instance, malicious files vs. benign files. The detection rule is applied to a set of unknown files. This produces a result set that contains files detected from among the set of unknown files as having the at least one characteristic of interest. Each file from the result set is compared to at least one file from a set of known files having the characteristic to produce a first measure of similarity, and to at least one file from a set of known files lacking the characteristic to produce a second measure of similarity. In response to the first measure of similarity exceeding a first similarity threshold, the detection rule is deemed effective. In response to the second measure of similarity exceeding a second similarity threshold, the detection rule is deemed inaccurate.