The most secure ransomware policy is a default deny posture that prevents all applications except those that are specifically approved from performing ransomware-like behavior.

This policy requires tuning to handle false positives that are generated by applications whose legitimate activity mimics ransomware operations. The advantage of the default deny policy is protection from ransomware behaviors that originated from compromised applications that have a higher reputation (such as TRUSTED_WHITE_LIST), without listing all possible applications.

You should extensively test default deny policies on a single host before you apply the policy rules to production systems. After you have addressed false positives, perform a gradual rollout. Leave a few days between adding each group of endpoints, to address any new false positives. If good software is being terminated by ransomware-like behavior rules, approve the application.

Microsoft PowerShell and Python are popular targets for Windows and OSX, but any command interpreter that can receive code as part of its command line is a potential source of malicious activity. For stronger protection, consider including path-based rules for script interpreters.


Custom policies supersede objects/hashes added to the company approved or banned lists.

Rules for suspected malware, PUP, not-listed, and unknown reputations must be added to your policies for protection against ransomware.

  1. On the left navigation pane, click Enforce > Policies, and click the policy to edit.
  2. In either Permissions or Blocking and Isolation, select Add Application Path.
  3. Enter the application path and then select Performs ransomware-like behavior.
  4. Click Confirm and then Save.

The only available action for Performs ransomware-like behavior is Terminate process. This is because denying ransomware access to the first file that an application tries to encrypt would not prevent it from attempting future encryption operations.