Protection against the encoder

I want to understand better how HIPS will work, fir-trees will meet not the known program. I understand that there will be a message and I need to solve: whether the program is safe it or not, it is worth allowing start or not

Let’s assume with decided that the program is safe. And I noted that it is necessary to consider the rule that the program is safe. But suddenly I was mistaken? Suddenly it is a virus what ciphers files?
Whether Comodo regardless of my decision will check this file then. For example – to carry out a cloudy inspection. If carries out an inspection, then what it consists in - it is emulation of the program that to determine by the analysis of behavior, the program is safe or not?
I need answers …. Thanks