Serious issue with SONAR - NIS2011

I tested NIS 2011 (NIS-TW-30-18-1-0-37-EN.exe) against a variety of zero-day malware. NIS performed exceptionally well, with one strange exception:

 

kegen.exe (I can provide further details on request, MD5 is ff08b3b2c0ef6c7119a9311873db6777).

 

No download insight automatically for this file (no pop-up), and Sonar does not block it (only subsequent malware that is downloaded once the malware is active, yet some is undetected). However, when several users tried to replicate this, Sonar completely blocked keygen.exe for them from the beginning. I quickly made another cleanly formatted test pc (Win 7 32 bit, no VM, no sandboxing) and tested again - still Sonar did not block the threat. Why not? Default setting were used, and I tried all aggresive too.  

 

Now today the file was blacklisted through signatures - but I am still worried - How can Sonar detect on one PC, and not on another?! Is download insight not working properly for this file, and does Sonar use Download insight information? 

 

Full info here:

A user whose keygen.exe is succesfully blocked by Sonar: http://www.wilderssecurity.com/showpost.php?p=1738970&postcount=113, and another: http://www.wilderssecurity.com/showpost.php?p=1739397&postcount=136http://www.wilderssecurity.com/showpost.php?p=1739425&postcount=143

 

Mine: http://www.wilderssecurity.com/showpost.php?p=1739381&postcount=133

http://www.wilderssecurity.com/showpost.php?p=1739399&postcount=137

 

This is very strange.