A computerized method for logical identification of malicious threats across a plurality of end-point devices (EPD) communicatively connected by a network, comprising collecting over the network an identifier associated with each file of a plurality of files, wherein each file of the plurality of files is installed on at least one of the plurality of EPDs and wherein the identifier is the same for each like file of the plurality of file. Information associated with an identified subset of files is collected, wherein the information indicates at least a time at which the at least one file was installed on one or more of the plurality of EPDs and the way the at least one file spread within the network. The collected information is analyzed according to a set of predetermined computerized investigation rules. The analysis is used to determine whether at least a file of the identified subset files is a suspicious file.