Containment Alert - "Don't Isolate It Again"

When a zero-day untrusted application (a test batch file in my case) is executed for the first time then:

  1. A “Containment - Application Contained” alert pops up telling that the application has been run virtually.
  2. The application is added to BLOCKED APPLICATIONS.
  3. The application is added to UNRECOGNIZED FILES.

now when

  1. The application is removed (not unblocked) from BLOCKED APPLICATIONS.
  2. The application is removed from UNRECOGNIZED FILES.
  3. The application is executed again.
  4. “Containment - Application Contained” alert pops up again telling that the application has been run virtually.
    8 ) In the “Containment - Application Contained” alert selecting “Don’t Isolate It Again”.
  5. The application is added to BLOCKED APPLICATIONS.
  6. The application now is NOT added to UNRECOGNIZED FILES
  7. The Untrusted application has become rated Trusted.

Now, successive executions of this untrusted application will not be intercepted by auto-containment anymore and not by HIPS either because of the auto created auto-containment application rule and the auto created HIPS custom application rule.
As such HIPS won’t show any alerts for this untrusted application anymore.

I would not expect that an untrusted application all of a sudden becomes rated trusted after selecting “Don’t Isolate It Again” per step 8.
I mean after selecting this “Don’t Isolate It Again” option the application should still be rated untrusted so that HIPS would still show Alerts for this untrusted application.

When an user accidentally selects “Don’t Isolate It Again” on malware what would happen next when HIPS doesn’t inform you anymore?

Is this correct behavior of this “Don’t Isolate It Again” option?

Don't Isolate It Again – An 'Ignore' rule is added for the application in the Auto-Containment rules. The application will not be auto-contained in future. See Auto-Containment Rules for more details.

Don’t Isolate It Again - Select this option if you are sure you can trust the file.
The file is marked as ‘Trusted’ in your local file list, and will be allowed to run without restriction in future. See File List for more details.


Also it doesn’t add any custom HIPS rules, just an auto-containment rule and changing the file rating to trusted.

I don’t see the same type of Containment alerts as shown on that Help page.
Also the “Don’t Isolate It Again” option is explained separately in two different places/subjects “Containment Notification” and “Answer File Rating Alerts”.
However, I get only one simple Containment alert (see attached image) with the “Don’t Isolate It Again” option in it.

How does one know that with selecting this option you answer both the “Containment Notification” and the “Answer File Rating Alerts” alerts?
Looks dangerous to me, could be made clearer.

Correct, on the very first execution the ignore containment rule is being created and file rating trusted is being set and then on a second execution the HIPS custom rule is added because of trusted state.