CCAV first checks file signature in trusted vendor list embedded in it, then if not matched, it goes to FLS (File Look-up Service) to query file rating from hash. Returned rating can be safe, unknown or malicious
So, basically, CCAV uses the same cloud look-up analysis of CFW/CIS, not only on execution, but also on download/copy/select?