To protect against ransomware, Windows PE executables should be filtered by content and not just by extension. The PE file types listed here should be included in the analysis.

  • *.exe
  • *.cpl
  • *.dll
  • *.ocx
  • *.sys
  • *.scr
  • *.drv
  • *.efi
  • *.fon
  • *.pif 

and additionally

  • *.HLP
  • *.LNK
  • *.CHM
  • *.BAT
  • *.VBE

An exemplary configuration could look like this.

The Blocking Profile you have just created has to be bound in the next steps of the Security Policy Rules settings under Profile Settings. Ideally, the file analysis is linked to URL filtering.