First I have to say that I have already seen this issue mentioned many times in different topics. It has been said that CIS D+ treats everything as unknown until it actually loads. But, my experiences differ.
I would like to mention the cases that I regularly encounter when I install CIS on a new system.
I install a few software. I then install CIS and do a restart. After the restart any programs or applications that start before CIS GUI actually appears are not sandboxed. When I open the “Active Process List” under D+, it clearly shows that the processes are not trusted, still the sandbox level shows as “Disabled”.
If I close any of those programs and re open them, they are now sandboxed.
So, what I conclude from this is that CIS starts sandboxing unknown programs only after it’s main UI is loaded or some particular component is loaded. Any app that starts earlier than this is not automatically sandboxed even if it is untrusted.
I have seen this happen with malware too…
When I installed CIS on an infected system, after restart I was surprised to see that the malware was not sandboxed. The files were not trusted either. I checked the “active process list”, they were not sandboxed. I terminated the programs. Ran them again for verification, they are now sandboxed.
I would therefore like to see CIS load it’s modules earlier than all others so that it protects from autorun infections or CIS automatically sandbox all unknown files somehow even before it loads (I am just being crazy, I do not know if this is possible).