I think that the action danger rating should go up as the file does more suspicious stuff.
(Note: This may sound a bit like isolation.)
For example: In one of the minimal D+ settings (“Clean PC Mode” say), CIS redirects all changes an app makes to a database CIS has just for that purpose. When either b[/b] the app has done a certain amount of suspicious actions, or b[/b] the app has closed or stopped doing actions, a D+ alerts pops up asking if you want to undo the changes and block the program, or keep the changes.
For non-undo-able actions, it will still alert.