For those interested, there is additional information about this topic on Comodo forums.
https://www.youtube.com/watch?v=l50HNQYFD5Y 💣
forums.comodo.com
A moderator's response.
"I only took a quick look at the source code and I can tell what the issue is. By default cis does not protect access to the service control manager defined as *\RPC Control\ntsvcs so you would need to add that path to the protected COM interfaces section. The source code also contains code that attempts to access the SCM via a named pipe so you can also add *\Device\NamedPipe\ntsvcs to the protected files section to cover the named pipe access.
With that said, there is a compatability issue with windows UAC that prevents containment restriction levels being set to the desired restriction level for applications that require administrator rights. This means if you set the containment rule to use a restriction level higher than partially limited e.g. limited, restricted, or untrusted and you run an application that requests admin rights/elevation, then cis will lower the restriction level to partially limited. So you don’t get the protection provided by the higher restriction levels.
Therefore you need to completely disable UAC by setting the enableLUA registry value to 0. This is important to note as using SCM requires admin rights and setting UAC to never notify, doesn’t actually disable UAC itself as it just won’t pop up an UAC alert and will auto grant elevation to admin.
Edit: oh and there is yet another bug that affects cis on windows 11 with regards to using restriction levels. Whenever an application is executed by windows explorer, which happens when you use your mouse to run apps, the restrictions that are supposed to be applied don’t get set so you get tricked into a false sense of security."
