about the unsandboxed process

I added the explorer.exe to the blocked application.

I double clicked on the CLT.exe and selected “Allow”

So, CLT.exe is not sandboxed.

I double clicked on the item, “Explorer As Parent”

The result is “Protected”

I checked the defense+ events.

CIS sandbox blocked the activity of the unsandboxed process.

Please add an option to the sandbox settings,
“Do not block the activities done by the unsandboxed processes”

I don´t get your point.

Do you mean that an untrusted application (CLT) should have the right to start a blocked application?

I think that CIS should “allow” the activities done by the “unsandboxed process” when “the sandbox is enabled”.

I don’t agree.

Blocked should mean blocked, regardless of sandbox status.

Because it is an unsandboxed process, the CLT.exe can be replaced by the userinit.exe, the services.exe, …, etc

If the user enables the sandbox, the user can not add the rule to the blocked application.

CIS should… no! MUST! to block actions that expressly denied by the user. With absolutely no exceptions. In example, how to implement CIS’s self-defense when any installer will be able to overcome self-defense rules?

That is not true. Executables are protected files and are protected by CIS. It is possible to changes files as you describe by the user using Explorer. CIS does allow user to do such things but not executables.

2. If the user enables the sandbox, the user can not add the rule to the blocked application.
I am not quite understanding. Can you rephrase?