Testing ESET 13.0.22.0's HIPS with my sample of suspicious things:
(1) (written myself) Simulated ransomware: Zips up the contents of My Documents (password set to today's date) and then deletes all the files one by one.
(2) (written myself) Simulated PUA: Copies itself as C:\Program.exe and then registers itself as a startup item
(3) Modified Rufus.exe repacked myself: Rufus edits the system's group policy to disable Autorun and escalates itself to admin in order to drop in GPO registry keys.
(4) Modified Universal Watermark Disabler repatched myself (patches BootMgr and the EFI Windows loader similar to a rootkit)
(5) Stock HWIDGen (Windows piracy tool, MITM's the connection to a Windows activation server. Considered suspicious by most heuristic analyzers)
(6) Stock VMWare Workstation crack (false alarm test. Attempts to patch VMWare binaries sets off a lot of heuristic engines as malware attempting to detect a VM)
Emisisoft AM alerts on: 1, 2, 3, 6
F-Secure SAFE alerts on: 1, 2, 3, 4
ESET alerts on: None
In terms of results, I expect 1, 2, and 4 to be flagged by a behavior blocker or even a static analyzer. I expect 6 to not be flagged by anything.
I was surprised that the default settings for ESET didn't alert to anything.... (1) actually deleted my data despite the "ransomware blocker" module being turned on. And I'm literally just using stock .NET APIs with no attempt to obfuscate the fact that I'm deleting stuff from My Documents after encrypting it. (2) is meant to be a double whammy where locating yourself to Program.exe is a common exploit attempt (unquoted service path) and a zero reputation binary immediately setting itself to run at startup is suspicious too.
Are there fancier settings to use for ESET?
On the bright side, the static scanner is quite good. It's picking up a lot of live-generated Mac malware that is intentionally randomized every download.
EDIT: I will say that while testing most Of these binaries there was about a 5-10 second stall at various points in execution. It seemed like ESET was somehow inspecting what the binaries tried to do but just wasn't suspicious enough. Note too that this was more heavyweight than the other mentioned BBs. ESET is overall light and fast but it does seem to be heavy if the behavior blocker is inspecting a process.