Abstract: A method of detecting malware on a computer system. The method comprises monitoring the behavior of trusted applications running on the computer system and, in the event that unexpected behavior of an application is detected, identifying a file or files responsible for the unexpected behavior and tagging the file(s) as malicious or suspicious. The unexpected behavior of the application may comprise, for example, dropping executable files, performing modifications to a registry branch which is not a registry branch of the application, reading a file type class which is not a file type class of the application, writing portable executable (PE) files, and crashing and re-starting of the application.