default deny: unknown files will be treaten blocked until allow.
mainpage cis (sandbox disabled): unknown files will be treaten as “partially limited, limited, untrusted, blocked”.
cis without sandbox is default deny. so the mainpage userinterface doesnt fit, when the sandbox is disabled.
Yes Sandbox and ‘Image Execution Control’ are two separate features.
You can set Sandbox to disabled and still have unknown files blocked from running.
This allows system administrators to ‘lock down’ the system without having to implement the sandboxing limitations to the other applications.
GUI text could be improved here and I think the help documentation fails here… or I am missing it.
I think that the levels represent different restrictions on the OS level not on CIS level.
Removal of Admin token etc, you can use process explorer to view some of those, though a clear written help file would be very welcomed on this.
yes, the setting is usually meant to describe the level restriction for unknown files while sandbox is enabled(!).
and its in the best case useless, to have it still there when sandbox is disabled. in the worst case it could be even dangerous if someone is convinced that there is still a treatment “untrusted, limited ect”, while there isnt any. he can be made convinced about that, by choosing one time “treat as blocked”, which has an obvious effect on defense+ while sandbox is disabled.
example of exploiting:
“hey, you can safely allow this game add-on, because you can see, cis would treat unknown files as untrusted! if it doesnt work with enabled sandbox, you can disable it, as then it is still possible to set “treat unknown as untrusted”! so no danger. unfortunately you must disable your antivirus (isnt antivirus so useless when having defense+…) because of a false positive, but defense+ would treat it as untrusted if you allow it, so it cant do anything to your system!” (btw, this could happen even without anyone actually speaking to you, aka “i need it, it doesnt run in sandbox, and antivirus is annoying, and defense+ seems treating it as untrusted anyway.”)
it would be an user mistake, but the interface of today could lead to make this mistake. first of all as this setting is in the real setting not under sandbox, but under execution control. so double time it seems to be about defense+. on mainpage userinterface and in the settings again.