Why didn't D+ learn in training mode?

After installing CIS (Firewall only, no antivirus), I put it in training mode; however, I found that during training mode that I also had to disable Execution Control (because it didn’t get automatically disabled by training mode). I ran all my programs. That took awhile. When done, I put CIS into Safe Mode and reenable Execution Control (which is set to handle unknown files as Untrusted).

So I figured only new executables that showed up on my host sometime later would fall under the Execution Control enforcement. After all, the point of training mode is to learn how my current applications behave (to learn them). Didn’t work that way. After going to Safe Mode and enabling Execution Control, one of the programs (Blueberry Flashback for captuing the screen) that I had previously ran under training mode (to learn its behavior) was treated as Untrusted so ran in the sandbox (the partial one where restrictions are applied, not the full one where the process gets truly isolated). This caught me by surprise. I figured Training Mode was supposed to learn the behaviors of this program so it would be trusted later. I really don’t want to use Clean PC Mode but prefer Safe Mode.

The default configuration is with the “Create rules for safe applications” disabled. Do I have to enable this option and go back into Training Mode to relearn all my applications by running them all again so rules get defined for them that stick when I go back to Safe Mode? Or am I stuck with adding the unknown executable to the Trusted Programs list one by one? What’s the point of Training Mode if programs currently unknown in Comodo’s whitelist don’t get whitelisted locally (by having them automatically added to the Trusted Progrmas list)?

If I’m stuck having to manually trusting the programs not currently in Comodo’s whitelist, how do I get them into Comodo’s whitelist? For executables that I have to manually add to the Trust Programs list, I see no option to submit that file to Comodo.

You disabled Execution Control while running Training mode while it is integral part of Training mode:

Image Execution Control is an integral part of the Defense+ engine. If your Defense+ Security Level is set to ‘Training Mode’ or ‘Clean PC Mode’, then it is responsible for authenticating every executable image that is loaded into the memory.

Comodo Internet Security calculates the hash of an executable at the point it attempts to load into memory. It then compares this hash with the list of known/recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe. If no matching hash is found on the safe list, then the executable is ‘unrecognized’ and you will receive an alert.

After running the adapted Training Mode you went back to Safe Mode with Image Execution enabled. Because you had Image Execution Control disabled none of the files were assessed and added either to Trusted Files or Unrecognised Files. Apparently Blueberry Flashback is not known and got sandboxed as soon as Image Execution was activated.

On a related side note. Do you have Automatically trust the files from the trusted installers and Show notifications for automatically sandboxed processes disabled?

What is your objective when you disable Image Execution Control in Training Mode and enable it back when going to Safe Mode?

If Training Mode is dependent on Execution Control then why aren’t those settings linked together? If I set one then the other should also set. If Training Mode is ineffective with Execution Control disabled then why would Comodo permit Training Mode to be enabled if Execution Control wasn’t set correctly? Do they giggle at us users pressing a disconnected cross-walk button thinking the light will change?