Technologies are provided in embodiments to detect malware. The embodiments are configured to receive an entropy rate of a potentially affected system. The embodiments are further configured to compare the entropy rate to an average entropy rate, and to determine a probability that the potentially affected system is infected with malware. The probability is based, at least in part, on a result of the comparison. More specific embodiments can include the received entropy rate being generated, at a least in part, by a genetic program. Additional embodiments can include a configuration to provide the potentially affected system with a specified time-span associated with the genetic program. The specified time-span indicates an amount of time to observe context information on the potentially affected system. In at least some embodiments, the result of the comparison includes an indicator of whether the entropy rate correlates to an infected system or a healthy system.