Threat Prob

Windows Defender and also many, many NBA (network behavioral analysis) tools use non-trivial probabilistic models to assess system threats.

See here and here for more info on Windows Defender.

An interesting consequence of this is that on two endpoints loaded with all the same versions of everything, some file or process might be marked as a threat and quarantined on one system, while on a functionally-identical machine the same (SHA1-identical hash) file is not. Makes many things much harder rather than easier.