BTW, the hollow process POC link that he posted on his rant is the same one I sent you 5 or so months ago (ironically ). https://www.trustwave.com/Resources/SpiderLabs-Blog/Analyzing-Malware-Hollow-Processes/ Here is the POC that they refer to in that article: http://www.codereversing.com/blog/archives/65 I compiled the POC so everyone can try it for themselves, here is a link: Keep in mind, I did this quickly, so feel free to recompile the source code just to make sure I did everything correctly. http://www.voodooshield.com/artwork/runasprocess.exe Here is the usage: runasprocess [process to replace] [replacement process] VS blocked everything as expected. I did not spend too much time on it, so there might be a way to get it to work, but I do not see how… please play around with it and see if you can get something to slip through. Here is the video: http://voodooshield.com/artwork/hollowprocess.mp4 Now do you see why I am annoyed when people suggest that there are ways to bypass VS, but do not demonstrate a proper bypass? My time would be better spent improving VS, and finding a way to put a lock on all web connected devices . Although, this is fun too at times .