I am using CPF 2.2.0.11 on Windows XPSP2 Home, fully patched.
“Automatically approve safe applications” is not checked. From time-to-time I get alerts about “suspicious behaviour”, most of which are to safe applications, typically involved in OLE automation exploits. If I am at the console, I typically allow these. But what is the default action that occurs if I am not here to see the alert? And can I control this myself?
These items, whether allowed or not, are recorded in the log file (which is how I know there are unattended ones!), but are not persistent; that is, they do not survive when the machine is shut down and later restarted.