The invention provides a ransomware real-time detecting and defending method based on file request monitoring, and belongs to the technical field of system security. The method includes the steps of monitoring whether a tested program has operation behaviors on a user file or not in a user host, if yes, mirroring the file to a protected storage area, operating the file in the area, recording the complete operation information, judging whether the program is ransomware or not in combination with a dubiety measuring mechanism based on the file content and operation behavior analysis, if yes, deleting the file in the protected area and deleting the program, and if not, updating and synchronizing the file according to the file in the protected area so that the consistency of data under normalcircumstances can be ensured. Through the process, the malicious ransomware can be effectively detected, the damage of malicious codes to user data is minimized, and the aim of improving the securityand defending capacity of a server host system is achieved.