mynamesismd

Thank you for the responses! This makes sense to me. So the HIPS is more of a traditional definition of a HIPS. ESET's choices here seem reasonable if the philosophy is to lower false positives. A lot of other AV programs use the terms HIPS and behavior blocker / Antiransomware to mean they look for these kinds of behaviors and for a file with low cloud reputation, it's basically on a hairpin trigger. While it might help with zerodays and custom-written malware, you guys are absolutely right in that the risk is high risk of false positives. BTW Huge props to ESET for the latest update. I'm pretty impressed by the detection against actual known malware -- it's doing a fantastic job against real world new malware variants, especially against malvertising that delivers randomly generated variants of PUAs.

One test that I usually run with antivirus software is to compile a .NET binary that simply goes into My Documents and starts placing file by file into a zip file, then going back and deleting every file it zipped up. This triggers many other antivirus programs' cryptoransomware behavior blocker. When I try the same with ESET (the latest version), it silently allows the attack to run to completion. I have all of the advanced heuristics options enabled, and the antiransomware module as well as HIPS on either Automatic or Smart (it sounds like Smart might be more sensitive than Automatic?) Is ESET's antiransomware module intended to block this kind of activity? I can provide a file sample if that helps, but really, it's just 10 lines of code that creates a ZIP file and places a designated set of documents into it. https://pastebin.com/XRVrupP9