The embodiment of the invention provides a method, a device and a system for detecting a malicious process behavior. The detection device is used for monitoring a process behavior of a process so as to acquire behavior information of a target process behavior, and sending the behavior information of the target process behavior to a server; the server detects the target process behavior according to the behavior information of the target process behavior to determine whether the target process behavior is a malicious process behavior, so that the detection device can receive first operation indicating information returned by the server according to a detection result of the target process behavior, and operate the target process behavior according to the first operation indicating information. The target process behavior is subjected to comprehensive detection by the server according to the behavior information of the target process behavior instead of appointed feature analysis on a single sample by the detection device, so that the malicious process behavior can be detected in time, and the safety of the system is improved.