Yes, we sum it up as "Age/Popularity" but use the same additional data that they use, as well as more The main configurable elements are Age/Popularity, however, as those are the ones that affect detection the most. I wasn't criticizing the prevalence based logic, I was criticizing their line of: Which software vendor does the file belong to? Just because software comes from Sony, a legitimate vendor, does not mean that it is legitimate. I was referring to your post of: "Reputation ratings, in contrast, have no such asymptotic constraint." Reputation ratings still fall into constraints as well, weighing usability with warnings, as do signatures and heuristics. An AV could say that all packed files are malicious and thereby block ~80% of new malware but also block ~30% of legitimate software. A reputation system can say that the only legitimate software comes from Symantec, Sony, and Microsoft and to block all others but the rootkits would still survive. I'm referring to new software versions as variants of existing software. Because Symantec is using a one-to-one cryptographic hash, the slate is completely wiped blank every time a single byte is changed in any component of any new program and it must be re-scrutinized by the reputation analysis. It all depends on how Symantec has tuned their warnings - if they require 100 or 1000 users to see a new program before it passes the reputation analysis, then they WILL warn on 100 or 1000 user's systems.