What would be the logic? a) On whitelist (check trusted vendors list) in behavioral blocker: ALLOW b) ELSE, on blacklist (check in the cloud for known bad):BLOCK c) ELSE, on greylist: SANDBOX unknown (and upload to Valkyre)? When greylisted software turns out to be safe after analysis, how would they promote software in the sandbox to the real system? There must be a local hash based whitelist to learn from its user base? so logic would be a) Check trusted vendors list (in behavioral blocker): ALLOW b) ELSE: check the local hash whitelist: ALLOW c) ELSE: check the cloud whitelist: ALLOW and add to the local hash based whitelist\ d) ELSE: check the cloud blacklist: BLOCK e) ELSE: SANDBOX unknown (and upload to Valkyre)?