There is a lot of confusion regarding how CIS behaves when a file is updated (modified\changed). I think what is most confusing is that alerts and auto-sandboxing occurs for what the user knows to be a Trusted file. They do not expect CIS to treat Trusted files in such a manner - and - think this is a random, out-of-the-blue quirk\bug. It is not; CIS is working as intended.
When any Trusted file is updated (modified), then CIS will change the rating to Unrecognized - and consequently -...
Explanation of How CIS Handles File Updates (Modification)
When any Trusted file is updated (modified), then CIS will change the rating to Unrecognized - and consequently -...
Explanation of How CIS Handles File Updates (Modification)