File protection method and device, equipment and medium

The embodiment of the invention provides a file protection method and device, equipment and a medium, and the method comprises the steps: confirming that a current device has a behavior of deleting volume shadow backup by a ransomware, calling LPC information through a local process to trace the ransomware, and ending the running of the ransomware, the LPC information being used for representing the process of calling the local process; the volume shadow backup created in advance is obtained, the ransomware file is recovered through the volume shadow backup, a recovered file is obtained, and the volume shadow backup is protected through a kernel module. Through some embodiments of the application, the behavior of the ransomware can be stopped in time, and the ransomware file can be quickly protected, so that the file protection quality and timeliness are improved. 本申请实施例提供一种文件保护的方法、装置、设备及介质，该方法包括：确认当前设备存在勒索程序删除卷影备份的行为，通过本地过程调用LPC信息溯源所述勒索程序，并且结束所述勒索程序运行，其中，所述LPC信息用于表征调用本地进程的过程；获取预先创建的所述卷影备份，并且通过所述卷影备份对被勒索文件进行恢