Methods and systems are described for malware learning and detection. According to one embodiment, an antivirus (AV) engine includes a training mode for internal lab use, for example, and a detection mode for use in commercial deployments. In training mode, an original set of suspicious patterns is generated by scanning malware samples. A set of clean patterns is generated by scanning clean samples. A revised set of suspicious patterns is created by removing the clean patterns from the original set. A further revised set of suspicious patterns is created by: (i) applying a statistical filter to the first revised set; and (ii) removing any suspicious patterns therefrom that do not meet a predefined frequency of occurrence. A detection model, based on the further revised set, can then be used in detection mode to flag executables as malware when the presence of one or more of the suspicious patterns is identified.