CIS Actions - Unknown vs Untrusted vs Unrecognized File Designations

I am currently testing CIS Beta on my system. However, I am not too sure how CIS treats Unrecognized vs Unknown vs Untrusted Files. So before I needlessly submit a Bug Report concerning how CIS is alerting/auto-sandboxing/analyzing-reporting (in KillSwitch) these three file classifications, it would be a real help if someone could clarify the distinctions between them and how CIS handles each type. In other words, it’s better to ask for clarification before wasting everyone’s time by reporting something that is not a bug.

I’ve checked the Comodo’s Help/Support files. They are unclear on some of the nuances/finer points or just don’t have the info outright.

Below are a few statements of my understanding. Please explain if my understanding is incorrect and/or incomplete.

Basic file types in CIS: Trusted and Untrusted (and Ignored).

Unrecognized Files are associated with the Defense + module (more specifically, the Behavior Blocker auto-sandboxes Unrecognized Files).

The Untrusted File designation is also associated with the Defense + module. More specifically, it is a rule-set that determines the manner and extent to which a file is restricted while running in the sandbox. In other words, Unrecognized Files are auto-sandboxed as Trusted, Fully Virtualized and Blocked (I do not see the Partially Limited, Limited, Restricted, Untrusted auto-sandbox rule-sets in CIS 8 Beta. I assume these rule-sets can be configured or may be auto-generated by the user’s response to alerts or both?). However, any Unknown File will, or should, always be processed by CIS as Untrusted. In CIS 8 Beta, Untrusted Files are auto-sandboxed using the Fully Virtualized rule-set by default.

The Unknown File classification is generated during scans (Rating, Full, and Custom) and is tied directly to the Cloud signature verification service. If the file on the user’s system is not found in the Cloud, then CIS will rate it as Unknown. The user has the option of ignoring the file or moving it to the Trusted File list. Unknown Files may be of any file type (i.e. .dll, .exe, .zip, .rar, etc, etc).

Despite the fact that I have more questions I am going to end here as this is a lot to cover. I’d rather break my questions down to manageable portions.

Untrusted files is removed by the antivirus. Files unknown (unrecognized [same]) is run in a sandbox. Trusted files are normally run.