That alert is for code injection into svchost - and not for hollow process.
Code injection and hollow process are two different things. In a nutshell, hollow process is when a child process is launched in a suspended state by a parent process, and then the parent process replaces the child process with a different process.
SpyShelter HIPS does not detect nor prevent hollow process. You can confirm this directly with developer - Datpol. It is known issue on 64 bit system.
No, I have confirmed sth other.
I know what's the difference but I'm afraid you are not a system programmer and you don't know detials?
You should know that one action named process injection or memory modification which sounds the same in HIPS "A" software
could not be the same done in other let's say HIPS "B", there is sth like code quality + tricks so the same name mean not the same.
In this case injection could mean sth more.
I analzed it more deeply
mem dumps of explorer and svchost, compared before and after malware run.
Did on CTB Locker one of latest edition. Svchost was blocked from modification. WIthout SpS it was hollowed.
There is no sense to discuss without proof which everybody could check.
Can you simply show one example which will proove your words,
Just ONE simple to verify no 5 or 10...
I analyze then and could confirm so then can make suggestions about improvements.
Last edited: