Model stealing attacks have been successfully demonstrated in several domains. However, in the area of malware detection, there is no comparison of surrogate creation strategies, nor a comparison of surrogates for generating adversarial malware. More importantly, no work attempted to “steal” real antivirus systems in order to evade them. Model extraction attacks are interesting from a security perspective because they can be used as a stepping stone for subsequent attacks, such as the adversarial creation of malware. In this talk we will present our findings and lessons on model stealing attacks against three stand-alone machine learning malware classifiers and four AVs. Using a limited amount of queries, we explored a number of active learning strategies for creating surrogate models that reached up to 98% agreement with the target model. As a second step we used 30 different models (surrogates and targets, including AVs) to generate adversarial malware and compared their evasion capabilities. During this presentation we will try to address questions regarding the effectiveness of different model extraction strategies, the effects of using different family types as surrogate models, and how different strategies affect the subsequent task of adversarial malware generation. We will also talk about what happens when the AVs are connected to the internet and how this affects the evasion capabilities of adversarial malware.