Dynamic Application Containment (DAC) rules in the Default policy are set to report only to reduce false positives. ATP provides two other predefined Dynamic Application Policies: Default Balanced and Default Security. These policies set recommended rules to block, based on the security profile:

• Default Balanced provides a base level of protection while it minimizes false positives for many common unsigned installers and applications.  
• Default Security provides aggressive protection, but might cause false positives more frequently on unsigned installers and applications.  

Best practice: To evaluate the impact of the DAC rules, use the Default policy with rules set to report. To determine whether to set rules to block, monitor the logs and reports. After you collect DAC violation allowed (event ID 37280) events, set Enterprise Level Reputations or DAC exclusions before you enforce the Default Balanced policy.

DAC can exclude processes from containment based on name, MD5 hash, signature data, and path. If your organization signs tools that are deployed internally, add these signatures as exclusions to reduce false positives.

When in Observe mode, DAC reports "would contain" events but not "would block" events (an application must be contained before ENS determines whether to block it). "Would contain" events don't indicate a potential block. To properly tune DAC, after you disable Observe mode, modify containment rules to report but not block. Then, set the rules to block as needed to match the default configuration. DAC rules have flood control, which limits the number of events generated to once per hour, per rule, and per process. DAC flood control tracks processes by process ID (PID). When a process restarts, the operating system assigns it a new PID, which resets the flood control, even though the process name is the same. For example, if Process A violates DAC rule A 100 times per hour, you receive one event per hour. If Process A restarts during that hour, flood control resets for Process A and you receive another event if it continues to violate DAC rule A. If Process B violates the same DAC rule A, you receive a second event (with Process B details). Best practice: Run the GetClean tool on the deployment base images for your production systems. This tool makes sure that clean files are sent to Global Threat Intelligence (GTI) to be categorized. The tool also helps make sure that GTI doesn't provide an incorrect reputation value for your files. For more information, see the GetClean Product Guide, available from the Product Downloads site.

Trellix-defined containment rule	Description	Default Balanced recommended set to block	Default Security recommended set to block
Accessing insecure password LM Hashes	Protects the SAM file in %WINDIR%\system32\config. Windows stores passwords in this file. Programs generally don't access this file.   Best practice: Set this rule to report only (default) to monitor for potentially malicious programs or unauthorized access attempts.
Accessing user cookie locations	Protects the Internet Explorer cookies folder in %AppData%\Roaming and %AppData%\Local from changes.   Best practice: Set this rule to report only (default) to monitor access to Internet Explorer cookies by contained programs.
Allocating memory in another process	Prevents contained processes from changing the memory in other processes on the system.	✔	✔
Creating a thread in another process	Prevents contained processes from creating or modifying a thread in other processes on the system.	✔	✔
Creating files on any network location	Prevents contained processes from creating files on network locations. Malware can use these locations to spread the infected files.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Creating files on CD, floppy, and removable drives	Prevents contained processes from creating files on removable devices. Malware can use these devices to propagate.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Creating files with the .bat extension	Prevents contained processes from creating any file with the .bat extension. If batch files are used for administrative purposes, setting this rule to block might produce false positives and impact business operations.   Best practice: If batch files aren't used to administer the system, set this rule to block and report. This setting prevents malware from creating scripts that scripting engines execute later.		✔
Creating files with the .exe extension	Prevents contained processes from creating any file with the .exe extension. This rule stops malware from creating executables on the system.   The typical "false blocks" that can occur with this rule might include WinZip, if users update WinZip regularly, and some installers and uninstallers. Make sure that you run GetClean before enabling block. To further tune this rule, use DAC global exclusions.		✔
Creating files with the .html, .jpg, or .bmp extension	Prevents contained processes from creating files with the .html, .jpg, or .bmp extension. Malware sometimes hijacks these extensions to trick the user into executing the payload.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Creating files with the .job extension	Prevents contained processes from scheduling tasks on the system. Malware actively exploits scheduled tasks to avoid behavioral scanners.	✔	✔
Creating files with the .vbs extension	Prevents contained processes from creating files with the .vbs extension.   If .vbs files are used for administrative purposes, setting this rule to block might produce false positives and impact business operations.   Best practice: If .vbs files aren't used to administer the system, set this rule to block and report. This setting prevents malware from creating scripts that scripting engines execute later.
Creating new CLSIDs, APPIDs, and TYPELIBs	Prevents contained processes from creating Class IDs, App IDs, or TypeLIBs. These registry locations can be used to register new file types and allow malware an entry point on the system.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Deleting files commonly targeted by ransomware-class malware	Prevents contained processes from deleting files that ransomware-class malware commonly targets. Ransomware sometimes tries to read the files into memory, write the file contents to a new file, encrypt it, and then delete the original.   Ransomware-class malware doesn't typically try to directly change the files that it's targeting for encryption. Instead, it uses a process already on the system, such as explorer.exe or powershell.exe, to proxy the attack. If enough attempts are blocked, the malware might fall back to trying to encrypt the file directly.	✔	✔
Disabling critical operating system executables	Prevents contained processes from disabling regedit or the task manager, thus restricting the administrator from accessing these tools.	✔	✔
Executing any child process	Prevents contained processes from executing any child process on the system.   Best practice: Run GetClean before setting this rule to block.		✔
Modifying appinit DLL registry entries	Prevents contained processes from adding entries to the appinit registry location.   User-mode processes on the system can load any entry in the appinit registry location. For this reason, malware can use these processes as an attack vector to insert its payload.	✔	✔
Modifying application compatibility shims	Prevents contained processes from creating application compatibility shims. Malware can use this technique to gain the same rights of the target process and inject shellcode.	✔	✔
Modifying critical Windows files and registry locations	Prevents contained processes from changing critical files and registry locations such as the hosts file, WINLOGON registry location, session manager registry location, and others.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Modifying desktop background settings	Prevents contained processes from changing the settings for the desktop wallpaper or background. Malware can use this technique to trick the user, hide files, or make the user think that they're clicking something else.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Modifying file extension associations	Prevents contained processes from hijacking file extension associations. Malware can use this technique to trick the user into executing unknown file types or using unknown programs to execute files.		✔
Modifying files with the .bat extension	Prevents contained processes from changing files with the .bat extension. Use this rule to help stop malware from infecting script files on the operating system.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Modifying files with the .vbs extension	Prevents contained processes from changing files with the .vbs extension. Use this rule to help stop malware from infecting script files on the operating system.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Modifying Image File Execution Options registry entries	Prevents contained processes from changing Image File Execution Options in the registry. Malware can use this technique to hijack process execution and stop processes from executing altogether.	✔	✔
Modifying portable executable files	Prevents contained processes from changing any portable executable file on the system. Portable executables are files that Windows can execute natively, such as .exe, .dll, and .sys.		✔
Modifying screen saver settings	Prevents contained processes from changing screensaver settings. Malware can use this technique to drop malicious payloads onto the system.	✔	✔
Modifying startup registry locations	Prevents contained processes from creating or changing the Windows registry startup locations. Malware frequently hides payloads or proxies to payloads in the Windows registry startup locations.	✔	✔
Modifying automatic debugger	Prevents contained processes from changing or adding the automatic debugger, which malware can use to hijack process execution and steal sensitive information.
Modifying the hidden attribute bit	Prevents contained processes from changing the hidden bit in files on the system.	✔	✔
Modifying the read-only attribute bit	Prevents contained processes from changing the read-only bit in files on the system.	✔	✔
Modifying the Services registry location	Prevents contained processes from changing service behavior on the system.		✔
Modifying the Windows Firewall policy	Prevents contained processes from changing the Firewall policies stored in the registry. Malware can use the Windows Firewall to open security holes on the system.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Modifying the Windows Tasks folder	Prevents contained processes from creating or changing tasks stored in the Tasks folders. Malware can use tasks to place its payload on the system.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Modifying user policies	Prevents contained processes from changing group policy settings directly. Malware can use this technique to change the security posture and open vulnerabilities in the system.		✔
Modifying users’ data folders	Prevents contained processes from changing or executing files in the user's common data folders. Common data folders include the Desktop, Downloads, Documents, Pictures, and other locations in the AppData folder, which malware targets in ransomware attacks.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.   This rule can result in false positives depending on whether the contained program is truly malicious or not.
Reading files commonly targeted by ransomware-class malware	Prevents contained processes from reading files that ransomware-class malware commonly targets. Ransomware sometimes tries to read the files into memory, write the file contents to a new file, encrypt it, and then delete the original.   Ransomware-class malware doesn't typically try to directly change the files that it targets for encryption. Instead, it uses a process already on the system, such as explorer.exe or powershell.exe, to proxy the attack. If enough attempts are blocked, the malware might fall back to trying to encrypt the file directly.		✔
Reading from another process' memory	Prevents contained processes from reading the memory from another process on the system. This rule can help thwart attempts to steal information contained in targeted processes.		✔
Reading or modifying files on any network location	Prevents contained processes from reading or changing files on network locations. Malware can use these locations to spread infected files.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Reading or modifying files on CD, floppy, and removable drives	Prevents contained processes from reading or changing the contents of removable devices. Malware can use these devices to propagate.   Best practice: During an outbreak, set this rule to block and report to help stop or slow the infection.
Suspending a process	Prevents contained processes from suspending other processes on the system. Some malware try to suspend a process to hijack it or hollow it out for malicious purposes, also known as process hollowing.	✔	✔
Terminating another process	Prevents contained processes from stopping processes on the system.	✔	✔
Writing to another process' memory	Prevents contained processes from writing to the memory space of another process on the system.	✔	✔
Writing to files commonly targeted by ransomware-class malware	Prevents contained processes from changing files that ransomware-class malware commonly targets.   Ransomware-class malware doesn't typically try to directly change the files that it targets for encryption. Instead, it uses a process already on the system, such as explorer.exe or powershell.exe, to proxy the attack. If enough attempts are blocked, the malware might fall back to trying to encrypt the file directly.		✔