Detecting a malicious file infection via sandboxing

What is claimed is: 1. A device, comprising: a memory; and one or more processors to: receive a malicious file; provoke, based on receiving the malicious file, a network activity reaction when operating the malicious file in a testing environment; determine, based on provoking the network activity reaction, a network activity profile associated with the malicious file, the network activity profile including information regarding at least one of: one or more requested network addresses, quantities of packets sent or received, distributions of packets sent or received, one or more ports that are opened for communication, or one or more ports that are utilized for communication; determine whether network activity for one or more client devices corresponds to the network activity profile; determine that the one or more client devices are infected with the malicious file based on the network activity having a threshold similarity to the network activity profile; and cause, based on determining that the one or more client devices are infected with the malicious file, a remediation action to be performed on the one or more client devices. 2. The device of claim 1 , where the one or more processors are further to: monitor the network activity; and receive a trigger to determine whether the malicious file is operating on the one or more client devices based on monitoring the network activity. 3. The device of claim 1 , where the one or more processors are further to: monitor the network activity; determine, based monitoring the network activity, that a file, downloaded by the one or more client devices, is the malicious file; and receive a trigger to determine whether the malicious file is operating on the one or more client devices based on determining that the file is the malicious file. 4. The device of claim 1 , where the one or more client devices are one or more first client devices; where the one or more processors are further to: determine whether the malicious file is operating on one or more second client devices based on determining that the one or more first client devices are infected with the malicious file. 5. The device of claim 1 , where the one or more processors, when receiving the malicious file, are to: obtain the malicious file based on receiving a trigger to determine whether the malicious file is operating on the one or more client devices. 6. The device of claim 1 , where the one or more processors are further to: receive a trigger to determine whether the malicious file is operating on the one or more client devices; and obtain information regarding the malicious file based on receiving the trigger, the information regarding the malicious file including at least one of: metadata associated with the malicious file, or contents of the malicious file. 7. A method, comprising: receiving, by a device, a malicious file; provoking, by the device and based on receiving the malicious file, a network activity reaction when operating the malicious file in a testing environment; determining, by the device and based on provoking the network activity reaction, a network activity profile associated with the malicious file, the network activity profile including information regarding at least one of: one or more requested network addresses, quantities of packets sent or received, distributions of packets sent or received, one or more ports that are opened for communication, or one or more ports that are utilized for communication; determining, by the device, whether network activity for one or more client devices corresponds to the network activity profile; determining, by the device, that the one or more client devices are infected with the malicious file based on the network activity having a threshold similarity to the network activity profile; and causing, by the device and based on determining that the one or more client devices are infected with the malicious file, a remediation action to be performed on the one or more client devices. 8. The method of claim 7 , where determining the network activity profile comprises: determining the network activity profile based on analyzing the malicious file. 9. The method of claim 7 , where the information is first information; and where determining the network activity profile comprises: determining second information associated with the malicious file, the second information including at least one of: one or more device identifiers, or one or more network addresses. 10. The method of claim 7 , further comprising: filtering a set of network resources based on a whitelist. 11. The method of claim 7 , where determining the network activity profile comprises: determining the network activity profile based on information associated with other malicious files. 12. The method of claim 7 , further comprising: receiving a trigger to determine whether one or more malicious files are operating on the one or more client devices; and analyzing a set of malicious files similar to the malicious file based on receiving the trigger. 13. The method of claim 7 , where determining the network activity profile comprises: determining the network activity profile based on metadata associated with the malicious file. 14. A non-transitory computer-readable medium storing instructions, the instructions comprising: one or more instructions that, when executed by one or more processors, cause the one or more processors to: receive a malicious file; provoke, based on receiving the malicious file, a network activity reaction when operating the malicious file in a testing environment; determine, based on provoking the network activity reaction, a network activity profile associated with the malicious file, the network activity profile including information regarding at least one of: one or more requested network addresses, quantities of packets sent or received, distributions of packets sent or received, one or more ports that are opened for communication, or one or more ports that are utilized for communication; determine whether network activity for one or more client devices corresponds to the network activity profile; determine that the one or more client devices are infected with the malicious file based on the network activity having a threshold similarity to the network activity profile; and cause, based on determining that that the one or more client devices are infected with the malicious file, a remediation action to be performed on the one or more client devices. 15. The non-transitory computer-readable medium of claim 14 , where the one or more instructions that, when executed by the one or more processors, further cause the one or more processors to: utilize metadata associated with the malicious file to search for information associated with the malicious file. 16. The non-transitory computer-readable medium of claim 14 , where the one or more instructions that, when executed by the one or more processors, further cause the one or more processors to: provide access to one or more files or system resources; and generate the network activity profile based on providing access to the one or more files or the system resources. 17. The non-transitory computer-readable medium of claim 14 , where the one or more instructions that, when executed by the one or more processors, further cause the one or more processors to: establish a data structure storing dummy user information; and determine whether the malicious file exfi