Hello everyone. I was testing some malware tonight (sandboxed of course) and ran across a nasty fake AV alert. Eset hips popped up upon the install and said it had been allowed. So I went into the settings and switched hips to interactive and was bombarded with a ton of hips alerts (pop ups). After denying about 10-12 alerts from hips and having pop ups from the fake AV, I just terminated the sandbox. My questions are, how or why did hips allow this? Is there settings I should use for the hips to deny these kind of actions (fake AV's or suspect files). If I would have keep clicking deny would it have eventually killed the fake av? I suspect once it was allowed to get past hips the first time it was to late. If hips would have been set to interactive from the start would it have killed the process on the first deny? I submitted the file to eset. Thank you for your time and thank you in advance. Edit: This was done with stock settings with the exception of trying hips in interactive mode as stated above.