The most secure ransomware policy is a default deny posture that prevents all applications, except those that are specifically approved, from performing ransomware-like behavior.
This policy requires tuning to handle false positives that are generated by applications whose legitimate activity mimics ransomware operations. The advantage of the default deny policy is protection from ransomware behaviors that originated from compromised applications that have a higher reputation (such as APPROVED_LIST), without listing all possible applications.
You should extensively test default deny policies on a single host before you apply the policy rules to production systems. After you have addressed false positives, perform a gradual rollout. Leave a few days between adding each group of endpoints, to address any new false positives. If good software is being terminated by ransomware-like behavior rules, approve the application.
Microsoft PowerShell and Python are popular targets for Windows and macOS, but any command interpreter that can receive code as part of its command line is a potential source of malicious activity. For stronger protection, consider including path-based rules for script interpreters.
Custom policy rules supersede objects or hashes added to the company approved or banned lists.
Set a Ransomware Policy Rule
Rules for suspected malware, PUP, not-listed, and unknown reputations must be added to your policies for protection against ransomware.
The only available action for Performs ransomware-like behavior in Blocking and Isolation is Terminate process. This is because denying ransomware access to the first file that an application tries to encrypt would not prevent it from attempting future encryption operations.
Procedure
- On the left navigation pane, click .
- Select the policy.
- Click the Prevention tab and in either Permissions or Blocking and Isolation, select Add application path.
- Enter the application path and then select Performs ransomware-like behavior.
- Click Confirm and then click Save.
