JWilliams

Interesting - I think I ran into the same situation. After a couple of weeks on HIPS learning mode and seeing over a thousand rules created by very active use (many of which did, indeed, look like duplicates), I reverted to interactive mode and immediately started getting lots of notifications. Needless to say, I reverted to smart mode quickly. Hopefully, fixing this bug will allow learning mode to serve its purpose.

While Powershell 2.0 compatibility can be removed via add/remove Windows components, Powershell 5.0 is integral to Windows 10. I've searched for solutions, and it doesn't seem that it can be removed. Uh yes it can be, use NTLite. It can remove more than just Powershell... hxxp://www.ntlite.com Having done some looking into NTLite, it does seem to be able to remove Powershell functionality (no idea whether a system is stable this way, as it's generally described as a core element of the operating system these days). ​However, with Microsoft replacing the command prompt with Powershell (hxxp://www.networkworld.com/article/3143196/windows/microsoft-is-replacing-the-cmd-prompt-with-powershell.html), it would be more helpful to not have to reinstall the function when it is needed. Greater control through AMSI, it seems to me, would allow users to easily or selectively disable all Powershell execution, but quickly re-enable it when needed. ​Since ESET SS is hooked into AMSI anyway and can thus make "go/no-go decisions" for script execution, it's a feature I'd like to see.

While Powershell 2.0 compatibility can be removed via add/remove Windows components, Powershell 5.0 is integral to Windows 10. I've searched for solutions, and it doesn't seem that it can be removed.

I have a request regarding Eset Smart Security 10 and Microsoft's AMSI. Is it possible to add options such as "block all in-memory Powershell scripts" or "ask before running any Java scripts"? Many of us never or only rarely and deliberately use Powershell scripts, Java scripts, etc. For those of us in that situation, it would be nice to block things by default, to catch zero-day stuff. Is this possible?