I can no longer reproduce this easily in CIS 5.3.174622.1216 but I am still getting things added to trusted files automatically that I do not think should. This includes DLL files from CLT (someone else also reported this). This really needs to be sorted as it is potentially a huge security hole.
I think that subsequent investigations may have revealed what is happening in your earlier examples, but need to confirm this with you.
My understanding is that if you run with UAC=on, raise privs to admin, then use any program (presumably inc explorer) to drop (inc newly create) a file, that file will be trusted. Basically by running in admin mode with UAC on CIS thinks you are saying that any program you run should run with installer privs. Same is true if you run IE in this mode.
I cannot confirm this myself as I am running under XP.
I have done some testing and dropping files “as administrator” (windows 7 64 bit) does not add them to the trusted list. I did get two files added to the trusted list automatically just by running them (not as administrator) and I think these are unsigned programs found safe by the cloud lookup.
Two DLLs setwineventhook.dll and setwindowshook.dll are added when I run CLT.exe but I still get 340/340 perfect score. Apart from this I cannot reproduce any problems.
Interesting. The example Egemen gave was IE. Set UAC=on, then run IE as admin (CIS 5.0). He said that a file dropped by IE (presumably downloaded) would be trusted, unless I have misunderstood. Of course they could be trusted but not on the trusted list - CIS has an internal white-list - check active process list when they are running for status.
Or maybe there’s a change in 5.3…
Best wishes
Mike
Still valid in 5.8
Further information re circumstances under which this happens in CIS 5.8 here:
Best wishes
Mouse