I just wrote a small test program, which does nothing than hijack notepad and write my own code into notepad's process memory and execute it there. If AMON is enabled during compilation, it block it, but once the executable is on the harddisk, AMON does not block it any longer and I can execute it. http://www.tindahan.biz/myitems/np.jpg Virustotal shows: http://www.tindahan.biz/myitems/vt.jpg I think, it should be detected by AMON, if I try to execute it, and not only if I try to create it. I can even copy and paste it, it will not be recognized. And before anybody will tell me to submit it to eset, I DID, weeks ago.