D+ on proactive mode and unknown set to “untrusted” is failing to block this morning on my malware tests in respect of some “Ransom LockEmAll” wares. Interestingly on standard IS mode when it prompts for a block or sandbox and block is selected it really does block.
After 2 years of sandbox in IS, i still can’t understand why the highest boxing of “untrusted” does not effectively isolate this, similarly with the infamous failing of the spyshelter tests of webcam and audio tests
IEC=untrusted allows most software to run, but not do much, though it can grab cpu cycles. (Add a program to the sandbox allows control of this, so you can run such software experimentally). Blocked prevents execution. Blocked is present on the execution control menu, but not at the top - dunno why.