You're following the correct path...you're next challenge is to tune the policy based on the data that is currently being gathered while you're in monitor mode.
If you look in the 'Monitors' section of the console you can look at all the events that are currently being generated and events you need to focus on are the ones that are 'blue' in color. If you enable prevention on the policy, the activities represented by these events would be blocked. The challenge here is that there can be thousands upon thousands of events and it can be difficult to determine if you're dealing with a few simple, quick tunes to the policy or a much deaper effort. Up until recently I used to digest these events in a very manual effort involving data exports and excel...until a colleague built a tool that makes this much quicker for me.
Couple of quick pointers: Read the policy guide pdf and make sure that the 'Core' policy is going to meet your business needs. In a nutshell, it focuses on restricting core OS services and functions (mitigating risks that modify/exploit core OS code behavior to acheive their goals). For 'all other programs', the policy is not restrictive, enabling it to be, as suggested by SYMC, 'highly compatible'. With this policy applied, you can't obviate the need for traditional AV to mitigate risks associated with malware.
Best of luck and feel free to PM me if you get stuck.