or is it allowed to do basically anything it wants? The one thing holding me back from CIS is this issue. When a program has a valid signature, is it also monitored by D+? How can we really trust all of the programs just because it has a valid signature? I see that most firewalls blindly trust these Windows components without question because they have valid signatures, allowing them to connect to the internet when they have absolutely no need to. Should any program/component really be in a white list and have the keys to the kingdom… or is it better to filter everything for the sake of security?
Nowadays, you can’t trust in valid signatures anymore. Personal opinion.
Isn’t there an option to automatically allow programs with valid signatures? This seems more like default allow to me.
Uncheck it 
[attachment deleted by admin]
I realize this might be a stupid question, but does Comodo’s HIPS prevent software from using (or masquerading as) trusted installers in order to install and run, the same way the firewall might stop a program from using a trusted program to access the internet?
They say that CIS 4 is verifying only name and path…
Now, seems that CIS 5 is checking hash. But I’m not sure about that as hash is time-consuming and performance issues will appear.
I am wondered too!
Whitelisted apps are monitored according to D+ security level. The apps are whiteliisted by hash and CA issued digital signature. Explicit D+ computer security policy applies exclusively to paranoid mode.
In safe mode, whitelisted apps are considered safe and bypass ‘ask’ access name configuration. However, access name permissions can stipulate ‘block’ rules and CIS will prevent execution of apps so blocked. For all practical purposes, in ‘safe’ mode no compuer security policies are necessary at all. You can delete 'em all and your system will run just fine. The only access rights applicable in ‘safe’ mode are ‘block’, or the exclusion lists associated by access name where applications can be blocked explicitely from having a particluar access name access right.
The default behaviour in ‘safe’ mode is allow all whitelisted apps. If either the SHA1 hash or the CA issued digital signature in the local whitelist DB no longer matches any arbitrary app at execution time, the app is no longer ‘safe’, and CIS will at the very least sandbox the thing; at very worst it’ll be declared malicious.