An example of candidate malware is data that potentially includes one or more malicious elements. Candidate malware is received. The received candidate malware is analyzed using a virtual machine. A determination is made that the candidate malware has attempted to perform an anti-virtual machine action. Output that indicates that the candidate malware is malicious is generated.