A method of detecting a malware based on a white list comprises: receiving on a server side a program feature and/or a program behavior of a program to be detected sent from a client side; comparing the program feature and/or the program behavior of the detected program with legitimate program features and/or legitimate program behaviors stored in a white list; obtaining a legitimacy information of the unknown program based on the comparison result and feeding this back to the client side. In the invention, a legitimate program is determined by using a white list, thereby determining an illegitimate program excluded from the white list as a malware, which performs a determination and detecting and removing of a malware from another perspective.