Detecting malicious files

What is claimed is: 1. A method, comprising: receiving information associated with executing a candidate file; executing the candidate file; monitoring the execution of the candidate file; generating a monitored action record corresponding to the execution of the candidate file including by: executing the candidate file by at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file; and invoking one or more functions in a preset dynamic link library (DLL) during the execution of the candidate file to monitor the execution of the candidate file and generate the monitored action record corresponding to the execution of the candidate file; determining that at least one malicious action included in the monitored action record is included in a preset malicious action set; and determining that the candidate file is a malicious file. 2. The method of claim 1 , further comprising receiving a file checking task comprising a storage address of the candidate file. 3. The method of claim 1 , further comprising generating the preset malicious action set, including by: creating a first training sample set and a second training sample set, wherein the first training sample set comprises at least one malicious sample file and the second training sample set comprises at least one non-malicious sample file; executing the first training sample set to generate a first sample action record and executing the second training sample set to generate a second sample action record; determining a corresponding occurrence frequency for each action type in the first sample action record and the second sample action record; generating a first sample action set based on a first preset occurrence frequency threshold value and a second sample action set based on a second preset occurrence frequency threshold value, wherein the first sample action set comprises zero or more action types included in the first sample action record whose corresponding occurrence frequencies are greater than the first preset occurrence frequency threshold value, and wherein the second sample action set comprises zero or more action types included in the second sample action record whose corresponding occurrence frequencies are greater than the second preset occurrence frequency threshold value; and determining the preset malicious action set based at least in part on the first sample action set and the second sample action set. 4. The method of claim 3 , wherein the determining of the preset malicious action set based at least in part on the first sample action set and the second sample action set comprises: performing a set intersection operation on the first sample action set and the second sample action set to obtain a third sample action set, wherein the third sample action set comprises one or more action types that are included in both the first sample action set and the second sample action set; and deleting one or more action types from the first sample action set that match an action type included in the third sample action set to obtain the preset malicious action set. 5. The method of claim 1 , further comprising: receiving the candidate file from a client; obtaining information associated with the candidate file through analyzing the candidate file; encrypting the candidate file; and storing the information associated with the candidate file to a database and storing the encrypted candidate file to a file server. 6. The method of claim 1 , wherein the candidate file is encrypted with an asymmetrical encryption technique. 7. The method of claim 1 , wherein the monitored action record comprises an action associated with one or more of: a creating function, a deleting function, an information changing function, a registration table creating function, and/or a registration table value setting function. 8. The method of claim 1 , wherein determining that the candidate file is the malicious file comprises determining whether matching malicious actions included in the monitored action record exceeds a preset malicious action threshold value. 9. The method of claim 1 , wherein executing the candidate file by the at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file comprises: determining a decryption technique for a candidate file that is encrypted; using the decryption technique to decrypt the candidate file; establishing virtual runtime environments in the at least two virtual machines according to the information associated with executing the candidate file; and executing the candidate file by each of the at least two virtual machines, wherein reading and writing operations generated during execution of the candidate file are reset to addresses configured with each virtual machine. 10. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for: receiving information associated with executing a candidate file; executing the candidate file; monitoring the execution of the candidate file; generating a monitored action record corresponding to the execution of the candidate file including by: executing the candidate file by at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file; and invoking one or more functions in a preset dynamic link library (DLL) during the execution of the candidate file to monitor the execution of the candidate file and generate the monitored action record corresponding to the execution of the candidate file; determining that at least one malicious action included in the monitored action record is included in a preset malicious action set; and determining that the candidate file is a malicious file. 11. The computer program product of claim 10 , further comprising receiving a file checking task comprising a storage address of the candidate file. 12. The computer program product of claim 10 , further comprising computer instructions for generating the preset malicious action set, including by: creating a first training sample set and a second training sample set, wherein the first training sample set comprises at least one malicious sample file and the second training sample set comprises at least one non-malicious sample file; executing the first training sample set to generate a first sample action record and executing the second training sample set to generate a second sample action record; determining a corresponding occurrence frequency for each action type in the first sample action record and the second sample action record; generating a first sample action set based on a first preset occurrence frequency threshold value and a second sample action set based on a second preset occurrence frequency threshold value, wherein the first sample action set comprises zero or more action types included in the first sample action record whose corresponding occurrence frequencies are greater than the first preset occurrence frequency threshold value, and wherein the second sample action set comprises zero or more action types included in the second sample action record whose corresponding occurrence frequencies are greater than the second preset occurrence frequency threshold value; and determining the preset malicious action set based at least in part on the first sample action set and the seco