This paper uses endpoint (computer local) active detection and defense to deal with zombie viruses. For research in this area, most current big data analysis methods are used to analyze the behavior of endpoints to determine whether a zombie virus is performing spreading behavior. However, due to the problem of false positives, these studies cannot achieve 100% accuracy. In addition, their method can only determine whether there is a zombie virus, but cannot detect which file is a zombie virus. In this paper, we propose a new method: directly using the difference in behavior between normal programs and zombie viruses to identify whether a suspicious program is a zombie virus without being interfered by other noise. This new method is 100% accurate. For suspicious programs, we directly use NetStat to capture them. When using NetStat, when the zombie virus attempts to connect and fails, it will have a SYN_SENT signal; on the contrary, because the normal program knows the IP address it wants to connect to, it will only have an ACK signal and not a SYN_SENT signal. Therefore, our detection system will use the SYN_SENT signal to find suspicious viruses, and then use the ratio between the number of successful IP connections and the number of failed connections in one second of normal program and zombie virus execution to accurately detect the zombie virus.