"It is better to prevent malicious code to run at all, than allow it to run and try to detect & prevent harmful behavior."

There is ALWAYS a point at which malicious behavior detection fails - no matter the security software solution. Period.

In other words, default-deny is the only reliable solution => block, and just don't let it run. Period.

So simple that it is brilliant.