Modern AV products (CrowdStrike Falcon, SentinelOne, Carbon Black) use ML models trained on millions of malware samples. These models analyze hundreds of features extracted from a binary (imports, sections, entropy, strings, structural characteristics) and produce a maliciousness score.