Disclosed are systems, methods, and non-transitory computer-readable storage media for malware detection and content item recovery. For example, a content management system can receive information describing changes made to content items stored on a user device. The content management system can analyze the information to determine if the described changes are related to malicious software on the user device. When the changes are related to malicious software, the content management system can determine which content items are effected by the malicious software and/or determine when the malicious software first started making changes to the user device. The content management system can recover effected content items associated with the user device by replacing the effected versions of the content items with versions of the content items that existed immediately before the malicious software started making changes to the user device.