I’m confused to see that CIS does not support checking sha-1 hashes before launching executables. This is severe security drawback. CIS should keep local database of hashes of all already executed applications and alert user when currently executed application does not match it. Of course linked dlls should also be verified. Without this we can substitute (not necessarily a system exe; this can happen through installer) safe (already allowed by Defense+ and with FW rules) application to some malware and there will be huge problem.
So my wish is: sha-1 protection for execs.