Malware (e.g., malicious software, viruses, ransomware, etc.) is typically detected using anti-malware software. The anti-malware software can scan, parse, or analyze the content of content items to determine whether the content items include software code (e.g., machine instructions) that are known to correspond to malicious software. This analysis of the content of content items may require a lot of computing resources to perform. When a system (e.g., a content management system) includes a large number of content items, it may be impractical for the anti-malware software to scan all content items managed by the system. Thus, a mechanism is needed to quickly identify suspicious content items that should be analyzed by the anti-malware software and/or reduce the number of content items that need to be analyzed by the anti-malware software.