Methods and systems are disclosed herein for detecting malicious software executing on a plurality of computing devices. In an exemplary aspect, a method comprises collecting, from a plurality of agents executing on a respective computing device, analysis data corresponding to executables on the respective computing device, determining a suspicious activity pattern based on the received analysis data, determining that at least one executable on a computing device is malware based on the determined suspicious activity pattern, generating a plurality of remedial actions for protecting respective computing devices of the plurality of agents based on the suspicious activity pattern, and distributing, to the plurality of agents, the plurality of remedial actions to protect the respective computing device from the malware.