Cryptographic cis5 defense+ settings?

With both the sandbox and cloud disabled, no trusted software, no trusted editor, cis5 allows e.g. Firefox update from 3.6.11 to 3.6.12 without warning for the dll and exe changes, while cis3 does under the same circumstances.

The post-installation analysis shows that all of these files have been sandboxed as safe due to a trusted software, altough the sandbox is disabled and the trusted vendor list empty.

A similar behavior occurs, as i described earlier, when replacing under system32 the original Microsoft shutdown.exe by a third-party one with the same name or with another name after renaming it.

How does, in these conditions, cis5 manage to know anything about xp genuine files or about Mozilla’s genuine files?