Described herein are various technologies pertaining detecting malware by monitoring execution of an instrumented process. An anti-malware engine can observe code obfuscation, suspicious patterns and/or behavior upon scanning a computer file. Based upon this observation, evidence can be submitted to a service (e.g., cloud-based service) and, in response, configuration setting(s) for restraining, containing and/or instrumenting a process for executing the file and/or instrumenting a process into which the file is loaded can be received. The configured process can be monitored. Based upon this monitoring, an action can be taken including determining the file to comprise malware and terminating the process. Upon detecting malware, a detection report, and a copy of the computer file, can be sent to a service (e.g., cloud-based). The service can independently verify that the reported file is malicious, and can protect other machines from executing or loading the same malicious file.