A method, system, and computer program product for detecting malware from outside the host operating system using a disk, virtual machine, or combination of the two. The method, system, and computer program product detects malware at the disk level while computer files in the host operating system are in actual program execution by identifying characteristic malware properties and behaviors associated with the disk requests made. The malware properties and behaviors are identified by using rules that can reliably detect file-infecting viruses. The method, system, and computer program product also uses the disk processor to provide accelerated scanning of virus signatures, which substantially decreases overhead incurred on the host operating system by existing malware detection techniques. In the event that malware is detected, the method, system, and computer program product can respond by limiting the negative effects caused by the malware and help the system recover to its normal state.