How does CIS detect file origin?

One of the default autosandbox rules states “Action - Run Virtual, Created by - * , Location - Any, Origin - Internet”. How does CIS detect file origin?

Second autosandbox rule states: Run virtual unrecognized files created by web browsers, dowsnloaders, email clients and pdeudo downloaders. But shouldn’t files created by those programs have internet origin by defeault? And that is covered by the first rule.

Are there other file origins that will be handlied by CIS? Because I only have “any” and 2 “Internet” entries in the drop down list.

  1. It was detected by Viruscope.

On the other hand, the rule will be disabled when turning off Viruscope.

  1. Internet, Intranet

It’s using alternate data streams. Archived MSDN and TechNet Blogs | Microsoft Learn

Hope it helps.

Thanks for info, qmarius :-TU