CIS and Comodo Programs Manager

Ive noticed that if you install a program using "Install and monitor setup using CPM" you wont get any warnings from Defense+, and the sandbox doesnt work either. Isn´t there a risk that you could get infected this way?

I suppose it’s based on file hash (sort of MD5 or SHA1) and trusted vendor list.
If the file MD5 is valid (it means the file wasn’t modified) and it’s signed with a vendor from the trusted list, everything is ok.

If you can’t trust Comodo, then what you can trust? >:-D