this may be the design of DXL. There is a difference if an endpoint executes a file or you upload the file to ATD manually. I think there is also a knowledge base article available which describes this behavior.
Also, it ATD or MWG are detecting "no malicious behavior" the file is NOT published clean in TIE. This is also made by design, because ATD/MWG cannot guarantee a file is clean even there was no detection.
Yes you are correct but in this case:
a) If we UPLOAD the File via GUI or PYTHON (API) scripts to the ATD *AND* the TIE has NOT run the file then we get the  EMPTY ENTRYS in TIE
b) In my post mentioned files where run by the CLIENTS and then sent to the ATD. The ATD does rate it "Most Likely Trusted" but still the before mentioned stays "UNKNOWN" for some EXE Files.
c) With all DLL for point (b) this is by design but the EXE should change. We have some which change and some not.
Today, after i have aproved manual as trsuted those around 15 EXE which where run a on the client sent to ATD and found "Most Likely Trusted" but DID STAY at level 50 back in TIE are gone.
But this may only be because we don't have any new files which firinti that scheme/behaviour.
Did not do any updates on any component since then,
Does this only happen if a file is known trusted by GTI??
It looks like the TIE CONTENT Update from 20.10.2016 does FIX some things in that direction:
Does anybody see a "State" observed? I don't. With this product being so extreme difficult to understand maybe get the "terms" right.