Currently, when trusted executable changes (usually due to patch \ update), CIS sends it back to auto sandbox. I suggest that if CIS detects that trusted executable is changed, it should pop-up a question, something like “Have you updated exec name recently?” or “exec name has changed, do you want to keep it trusted?” or something like that, send the new file to comodo regardless of the answer.
Agreed, something will have to be done in the future for updated “non signed” applications.
I guess my search prior to posting this wasn’t broad enough. I basically agree with your suggestion, just with the addition of specific Paths/Applications for exclusion. In other words, given the context of your suggestion, in the specified Paths/Applications the detection of previously trusted/signed, unsigned executable, would generate a dialog asking whether trusted status should be retained for previously trusted/signed, unsigned executable.
My personal opinion is this would allow users to specify known Paths and/or Applications that are expected to change some what often (e.g. Steam Library, GOG Games, alpha/beta software, etc), but still alert and sandbox executables that they are less likely to change (and still be trusted).