The most secure ransomware policy is a default deny posture that prevents all applications, except those that are specifically approved, from performing ransomware-like behavior.

This policy requires tuning to handle false positives that are generated by applications whose legitimate activity mimics ransomware operations. The advantage of the default deny policy is protection from ransomware behaviors that originated from compromised applications that have a higher reputation (such as APPROVED_LIST), without listing all possible applications.

You should extensively test default deny policies on a single host before you apply the policy rules to production systems. After you have addressed false positives, perform a gradual rollout. Leave a few days between adding each group of endpoints, to address any new false positives. If good software is being terminated by ransomware-like behavior rules, approve the application.

Microsoft PowerShell and Python are popular targets for Windows and macOS, but any command interpreter that can receive code as part of its command line is a potential source of malicious activity. For stronger protection, consider including path-based rules for script interpreters.

Note:

Custom policy rules supersede objects or hashes added to the company approved or banned lists.