I still wonder if AV's are able to block process hollowing automatically? And Plugin 3 and 4 should be blocked with tools like SpyShelter, it monitors hooking of the browser and email clients. https://www.spyshelter.com/internet-security/
Conventional AV's no; at least as far automatically goes. Like I have stated previously, Eset's HIPS will detect it but I have to create user rules for processes I wish to monitor the activity for. Behavior based solutions may detect it but most don't if the process being hollowed is suspended; the most prevalent form of process hollowing. Supposedly, WD ATP detects it. However MS has never had it subjected to AV lab testing or any other independent testing, so we only have MS "propaganda" tech briefs that state it does.
I'm sorry to say but the HIPS in Eset sounds pretty ridiculous. For example, a tool like HMPA will block process hollowing automatically. As for WD ATP, like I said it's a monitoring tool, so it doesn't actually block it. I had a huge discussion last year in the WD thread, I was trying to explain that I would like to see a more advanced behavior block in Win Def, based on WD ATP.
Actually it will. HMPA probably looks for suspicious API calls combined with a suspended process, I believe that all security tools must add protection for this. For example, SpyShelter will also not automatically block process hollowing AFAIK.
