A computer-implemented method includes monitoring file access activity and generating an audit log based on the file access activity. The method also includes collecting samples of file usage activity, running a pattern recognition algorithm on the samples of the file usage activity for detecting malware activity, and, in response to detecting malware activity, restoring at least one file based on the audit log. A computer program product includes one or more computer readable storage media and program instructions collectively stored on the one or more computer readable storage media. The program instructions include program instructions to perform the foregoing method. A system includes a processor and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor. The logic is configured to perform the foregoing method.