摘要 |
Detecting malicious files is disclosed, including: receiving a file checking task, wherein the file checking task comprises a storage address of a candidate file and basic information associated with executing the candidate file; sending the file checking task to a detection device, wherein the file checking task causes the detection device to: use the storage address to acquire the candidate file from a file server; execute the candidate file based at least in part on the basic information associated with the candidate file; monitor the execution of the candidate file; and generate a monitored action record corresponding to the execution of the candidate file; and receiving the monitored action record from the detection device; determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and determining whether the candidate file is a malicious file based at least in part on the determined set of actions. |