Provided are a computer program product, system, and method for aggregating input/output operation features extracted from storage devices to form a machine learning vector to check for malware. Feature extraction functions are generated for the storage devices, indicating I/O operation features for the storage devices to gather. The feature extraction functions are communicated to the storage devices. The feature extraction functions transmitted to the storage devices cause the storage devices to gather information on I/O operation features, identified in the feature extraction functions, from the storage devices and transmit the information on the I/O operation features to the storage controller. The information on the I/O operation features are received from the storage devices. Information based on the received information on the I/O operation features are inputted into a machine learning model to output indication whether data in the storage devices contains malware.