Cyberattack and the threat of malicious software are becoming more rampant nowadays. This paper proposes a method for detecting and defending against malicious software such as ransomware or virus. The proposed scheme performs file backup on the input/output request of the archive data by the Kernel-mode. The backup module reduces the resource cost by comparing the user behavior and the features of the backup files, and thus mitigate the effect from the detection to achieve a lightweight backup module. The research results show that the proposed defense mechanism can effectively detect the file transaction behavior and ensure the integrity of the file in the computer system.