CrowdStrikeintermediate

CrowdStrike Prevention Policies: Reduce False Positives & Block Ransomware

Configure CrowdStrike Falcon prevention policies to balance security and performance. Optimize detection levels, enable ransomware protection, control USB devices, and reduce alert fatigue with host group targeting.

10 min readUpdated January 2025

CrowdStrike Falcon allows administrators to configure **Prevention Policies** to control how endpoints detect and respond to threats. By customizing prevention settings, you can balance security and system performance while reducing false positives.

This guide covers how to **create, modify, and apply prevention policies** in the **CrowdStrike Falcon Console**.

---

Step 1: Log Into the Falcon Console

    - Open a browser and go to: [https://falcon.crowdstrike.com](https://falcon.crowdstrike.com/) or [https://falcon.us-2.crowdstrike.com/](https://falcon.us-2.crowdstrike.com/) (Varies by tenant). - Sign in with your **admin credentials**.
---

Step 2: Navigate to Prevention Policies

    - In the **left-hand menu**, go to **Configuration** > **Prevention Policies**. - You will see a list of existing policies (e.g., **Standard, High Security, Custom Policies**). - Click on a policy to **edit** or create a **new custom policy**.
---

Step 3: Configure Prevention Policy Settings

Once inside a **Prevention Policy**, you can customize the following settings:

### **1. Machine Learning Prevention**
  • Determines how Falcon detects unknown threats.
  • Options: Disabled, Cautious, Moderate, Aggressive.
  • šŸ“Œ Recommended: Keep at Moderate for a balance between security and performance.

2. Exploit Mitigation

  • Protects against memory-based attacks (e.g., buffer overflows, code injections).
  • Recommended: Enable for all applications where possible.

3. Ransomware Protection

  • Enables real-time detection and blocking of ransomware behavior.
  • Enable this setting for maximum protection.

4. Device Control

  • Allows control over USB devices to prevent unauthorized access.
  • Options: Allow, Block, Read-Only Mode.
  • šŸ“Œ **Recommended:**Block unknown USB devices but allow approved devices.

5. Custom Indicators of Compromise (IOCs)

  • Allows administrators to manually add known threat indicators.
  • Example: Block a specific malicious file hash across all endpoints.

Step 4: Apply the Policy to Endpoints

    - After configuring settings, click **Save Policy**. - Navigate to **Host Management** and select **Endpoints** that should receive the new policy. - Assign the policy to **specific groups** or **all managed devices**. - Click **Apply Policy** to enforce changes.
---

Step 5: Test and Monitor the Policy

    - Go to **Activity** > **Detection Summary** in the Falcon Console. - Look for alerts related to the updated policy settings. - Adjust prevention levels if needed to fine-tune security without impacting performance.
---

Best Practices for Prevention Policies

āœ… **Use Custom Policies for Different User Groups** ā€“ Apply stricter policies to high-risk users like administrators.
āœ… **Enable Logging for Troubleshooting** ā€“ Keep track of false positives to refine policy settings.
āœ… **Regularly Update Policies** ā€“ As new threats emerge, adjust settings accordingly.
āœ… **Follow Recommended Policy settings** ā€“ CrowdStrike publishes recommended policy settings [here ](https://falcon.us-2.crowdstrike.com/documentation/page/e5c21607/prevention-policy-settings)(Login Required). Review these recommendations regularly to ensure you are following them.

Frequently Asked Questions

Find answers to common questions

Setting the detection level to 'Aggressive' in CrowdStrike Falcon's Prevention Policies enhances threat detection sensitivity but may increase alerts and false positives, potentially overwhelming security teams. This can disrupt legitimate applications and lead to unnecessary investigations. To effectively implement this setting, establish a robust incident response process with predefined workflows for high-risk alerts and clear communication strategies for users reporting false positives. Conducting a pilot test on a limited user group is advisable to assess performance impacts. Regularly review detection logs and refine policy settings based on real-world insights. Utilizing Custom Indicators of Compromise (IOCs) can further help by blocking specific threats while minimizing disruption to commonly used applications. Overall, the 'Aggressive' setting can strengthen security but requires careful management to maintain business continuity.

Need Expert CrowdStrike Management?

Our team manages CrowdStrike deployments for businesses like yours. Get 24/7 threat detection and response with expert oversight.

Learn About 24/7 Detection & ResponseExplore Vulnerability Management

Related Articles

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

Create and manage user roles in CrowdStrike Falcon. Configure RBAC, assign permissions, and restrict console access.

Read More ā†’

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More ā†’

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More ā†’
Back to CrowdStrike