On real example:
I run CIS without AV (which is not installed). “My own safe files” list does not contain “services.exe” from \system32 folder, services.exe is not signed (by Microsoft or whatever else).
When alert for services.exe is triggered it reads “services.exe is safe”. Or alert is not triggered and activity for services.exe is autolearnt by Defense+. I don’t have any explanation for this except there is “global” whitelist which is not customizable by user and is not tied up to Comodo’s AV only.
But the most interesting: seems like global safelist (or
Application Recognition Database - whatever) is remote (Comodo’s servers) OR being downloaded/updated from Comodo’s servers from time-to-time:
(Chernyakov is one of CIS programmers if i’m right)