Antivirus and advanced persistent threat (APT) protection systems typically rely on platform-dependent attributes of various computing objects, or other detailed information about reputation, behavior, and the like. There remains a need for malware detection techniques that increase sensitivity to relevant events without requiring a corresponding increase in data storage and communications between an endpoint and a remote threat management facility.