It is because the way CIS works. Due to speed optimization, it does not do TVL cloud lookup on on-access, but when a file is detected as malware it verifies in cloud if it is safe, as it can be false-positive also, and if so, vendor is added to local Trusted Vendor List.
Next time when file was executed, vendor was already in TVL as last check found vendor in cloud and added to local TVL list and therefore there was no alert in second attempt.
I was thinking of this but wanted an info from the experts. Thanxx you explained it clearly.
But on first attempt if the file is detected as malware & the cloud lookup found the file safe & added it to TVL local that means it was an FP, but an average user will not try to run the file second time. Dont you think it should do TVL cloud lookup on onaccess.