A technique verifies a determination of an exploit or malware in an object at a malware detection system (MDS) appliance through correlation of behavior activity of the object running on endpoints of a network. The appliance may analyze the object to render a determination that the object is suspicious and may contain the exploit or malware. In response, the MDS appliance may poll the endpoints (or receive messages pushed from the endpoints) to determine as to whether any of the endpoints may have analyzed the suspect object and observed its behaviors. If the object was analyzed, the endpoints may provide the observed behavior information to the appliance, which may then correlate that information, e.g., against correlation rules, to verify its determination of the exploit or malware. In addition, the appliance may task the endpoints to analyze the object, e.g., during run time, to determine whether it contains the exploit and provide the results to the appliance for correlation.