In management-type SaaS, user must be permitted to submit tenant’s business data on the SP's server, which may be embedded by the web-based malware. In this paper, we propose the automatic detecting method of web-based malware based on behavior analysis, which can make sure to meet the SLA by detecting the web-based malware actively. First, tenant’s update is downloaded to the bastion host by the web crawler. Second, it detect the behavior that tenant’s update is opened by IE. In order to break the malicious behavior during detecting, the IE has been injected in the DLL. Last, if the sensitive operations happen, the URL is appended to the malicious address database, and at same time the system administrator is informed by the SMS. The result of test is shown that our method can detect the web-based malware accurately. It helps to improve the service level of the management-type SaaS.