"It is better to prevent malicious code to run at all, than allow it to run and try to detect & prevent harmful behavior."
There is ALWAYS a point at which malicious behavior detection fails - no matter the security software solution. Period.
In other words, default-deny is the only reliable solution => block, and just don't let it run. Period.
So simple that it is brilliant.