So i have had my CIS4 set up with sandbox on and automatically detect installer… off, so everything is sandboxed.
I tested this set up on my VM, and it sandboxed a fake av (rogue) then immediately scanned it and released it from the sandbox… how does that happen! they scanned it and found a rogue as safe? i know technically they are not malicious, but they should be deleted from your sandbox not let free!!
Luckily, firewall found it to have malware behavior so i blocked it, but i really wish the sandbox was more secure.
I just tried to do what you did and I could not get it to do it. It was sandboxed but never let out. It totally killed it in sandbox and when I restated it was gone. Upon reboot it was even gone from pending files.
I don’t know I have never seen that, I would suspect it was a hiccup in the program or that you are using CIS on a virtual machine, it has been known to cause weird things to happen especially in security programs.