A malware detection system comprising a signature generator for combining malware signatures into a malware signature filter with a fixed false positive rate; a central location configured to send the malware signature filter to each of a plurality of hosts that are configured to scan files on the host system using the malware signature filter; each host configured such that if the scan indicates a positive result, the file is quarantined and the host sends identification back to central location if a false positive result is obtained for additional instruction. A method for malware detection operative to combine malware signatures into a filter with fixed false positive rate; comprising sending a malware signature filter to hosts for scanning of files on the host system and incoming data; if the malware signature filter returns a positive alert, identification is sent back to a central location.