Your concern is with detection. Where, given the nature of prevention, it should be with the prevention capabilities of CIS v5. All unknown files will run sandboxed until found safe. If CIMA misses a malware the malware will still run sandboxed.
Remember it is never CIMA that deems a file safe. That is done by analysts:
CIMA only marks the file if its bad...
if it can't verdict a file it does NOT mark it as safe.
Let me put an end to this discussion:
Melih answered the question very clearly before.
CIMA is used to mark files as MALICICOUS NOT A SAFE. SAFE files are marked by analysts.
"If CIMA does not catch it, they must be marking it as safe" is a very naive assumption with no basis... Dont assume but experiment if you want to see what is going on.
So, even it CIMA is totally messing up it will never tell anything is safe. Unknown files will keep on running in the sandbox.
When it comes to preventing malware a HIPS is still better than a behaviour blocker. So, I am not quite sure where you get the 99,9% condition from.
Other than that it is good to look for discrepancies to see if there is room for improvement.
Also report this malware in AV False Positive/Negative Detection Reporting
board. And please only post the url's to CIMA and VT when submitting it there; there should no malware be posted in that board (read the stickies).