Distinguish bet. safe & risky i/n access 4 virtualised browsers [4.1.x.920 x32]

Version 4.1 of CIS protects against malware hijacking virtualised browsers by alerting internet access (DNS) attempts.

There needs to be a way of distinguishing between browser sessions that could be caused by malware and those that could not, so the frequency of alerts can be reduced.

Suggestion (not part of vote)
Maybe these alerts need only occur if the program is run by a program other than explorer.exe. This would mean that most user initiated sessions were exempt. (NB AFAIK explorer.exe cannot be called with ‘run this program arguments’ I think?) If anyone knows please do say! I’m not a security expert.