CrowdStrikeintermediate

CrowdStrike Prevention Policies: Reduce False Positives & Block Ransomware

Configure CrowdStrike Falcon prevention policies to balance security and performance. Optimize detection levels, enable ransomware protection, control USB devices, and reduce alert fatigue with host group targeting.

10 min readUpdated January 2026

Want us to handle this for you?

Get expert help →

CrowdStrike Falcon allows administrators to configure Prevention Policies to control how endpoints detect and respond to threats. By customizing prevention settings, you can balance security and system performance while reducing false positives.

This guide covers how to create, modify, and apply prevention policies in the CrowdStrike Falcon Console.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (Varies by tenant).
  2. Sign in with your admin credentials.

Step 2: Navigate to Prevention Policies

  1. In the left-hand menu, go to Configuration > Prevention Policies.
  2. You will see a list of existing policies (e.g., Standard, High Security, Custom Policies).
  3. Click on a policy to edit or create a new custom policy.

Step 3: Configure Prevention Policy Settings

Once inside a Prevention Policy, you can customize the following settings:

1. Machine Learning Prevention

  • Determines how Falcon detects unknown threats.
  • Options: Disabled, Cautious, Moderate, Aggressive.
  • 📌 Recommended: Keep at Moderate for a balance between security and performance.

2. Exploit Mitigation

  • Protects against memory-based attacks (e.g., buffer overflows, code injections).
  • Recommended: Enable for all applications where possible.

3. Ransomware Protection

  • Enables real-time detection and blocking of ransomware behavior.
  • Enable this setting for maximum protection.

4. Device Control

  • Allows control over USB devices to prevent unauthorized access.
  • Options: Allow, Block, Read-Only Mode.
  • 📌 Recommended: Block unknown USB devices but allow approved devices.

5. Custom Indicators of Compromise (IOCs)

  • Allows administrators to manually add known threat indicators.
  • Example: Block a specific malicious file hash across all endpoints.

Step 4: Apply the Policy to Endpoints

  1. After configuring settings, click Save Policy.
  2. Navigate to Host Management and select Endpoints that should receive the new policy.
  3. Assign the policy to specific groups or all managed devices.
  4. Click Apply Policy to enforce changes.

Step 5: Test and Monitor the Policy

  1. Go to Activity > Detection Summary in the Falcon Console.
  2. Look for alerts related to the updated policy settings.
  3. Adjust prevention levels if needed to fine-tune security without impacting performance.

Best Practices for Prevention Policies

  • Use Custom Policies for Different User Groups – Apply stricter policies to high-risk users like administrators.
  • Enable Logging for Troubleshooting – Keep track of false positives to refine policy settings.
  • Regularly Update Policies – As new threats emerge, adjust settings accordingly.
  • Follow Recommended Policy settings – CrowdStrike publishes recommended policy settings here (Login Required). Review these recommendations regularly to ensure you are following them.

Frequently Asked Questions

Find answers to common questions

Setting the detection level to 'Aggressive' in CrowdStrike Falcon's Prevention Policies enhances threat detection sensitivity but may increase alerts and false positives, potentially overwhelming security teams. This can disrupt legitimate applications and lead to unnecessary investigations. To effectively implement this setting, establish a robust incident response process with predefined workflows for high-risk alerts and clear communication strategies for users reporting false positives. Conducting a pilot test on a limited user group is advisable to assess performance impacts. Regularly review detection logs and refine policy settings based on real-world insights. Utilizing Custom Indicators of Compromise (IOCs) can further help by blocking specific threats while minimizing disruption to commonly used applications. Overall, the 'Aggressive' setting can strengthen security but requires careful management to maintain business continuity.

To manage USB device access with CrowdStrike Falcon's Prevention Policies, block unknown devices while allowing approved ones. Start by identifying frequently used USB devices and create a whitelist, which may include specific USB drives, mice, and keyboards. Configure the policy to block any devices not on this list. Communicate the USB policy to employees, enabling them to request access for new devices through an approval workflow. Additionally, enable logging for USB access attempts to monitor both approved and blocked devices, helping identify potential security threats. Regularly review access logs and adjust the policy to address emerging risks. In high-risk environments, consider requiring encryption on USB devices or using endpoint detection and response (EDR) capabilities for suspicious activity monitoring.

To effectively test and monitor prevention policies in CrowdStrike Falcon, begin by utilizing the Activity > Detection Summary feature in the Falcon Console to track alerts and identify issues, such as false positives. Implement a phased rollout by applying the policy to a small group of endpoints for initial assessment and feedback. Use built-in logging to analyze detected threats and adjust settings as necessary, particularly for critical applications generating high alert volumes. Conduct quarterly reviews of prevention policies, aligning them with CrowdStrike's recommendations and current threat landscapes. Lastly, ensure continuous education for your security team to enhance their ability to interpret and respond to alerts, thereby optimizing your organization's security posture.

Need Expert CrowdStrike Management?

Our team manages CrowdStrike deployments for businesses like yours. Get 24/7 threat detection and response with expert oversight.

Learn About 24/7 Detection & ResponseExplore Vulnerability Management

Related Articles

CrowdStrike Falcon RBAC Guide: User Roles, Permissions & Least Privilege Access

Complete guide to CrowdStrike Falcon RBAC and user permissions. Configure least privilege access, create SOC analyst roles, manage admin permissions, and troubleshoot access issues.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike