Unfournatelly, a Community doesn't have access to their malware sample hash, however we can read the AV-C and AV-T's methodolgy and you have right.
I cannot agree with you.
Level 3 is responsible for non-signature protection, because at this level, the sample is always running. Before that, malware has a chance to be detected, because it is in the system for about 60 seconds.
Furthermore, "Level 3" is marked in the our testing database with the correct detection technology due to the IoC e.g. Comodo IS:
Comodo Internet Security:
| ANTIVIRUS INDICATORS | DESCRIPTION |
| C:\ProgramData\Comodo\Cis\Quarantine\* | Malware was quarantined |
| C:\VTRoot\* | Virus was run in a sandbox |
| C:\ProgramData\Comodo\Firewall Pro\cislogs.sdb | Information on an event in a firewall |
| HKLM\SYSTEM\VritualRoot\* | Information on running in a sandbox |
The key is the "Quarantine path" (Level 2) and (as Level 3 - non-quarantine event) C:\VTRoot, HKLM\SYSTEM\VritualRoot\* in Sysmon logs view. To capture such of indicators you have to create manually a XML configuration and import to Sysmon. Very important is set the Sysmon's driver altitude at lower than AVs drivers. Please read the updated methodology, how to to that: Methods of carrying out automatic tests - AVLab.pl
So, Level 2 is when the malware is captured to Quarantine (before running!): The system level, i.e. a virus has been downloaded, but it hasn’t been allowed to run.
The Level 3 is after when the signatures can be used: we can see it on the detection logs of e.g. firewalls (cislogs.sdb) or auto-sandbox (C:\VTRoot\*, HKLM\SYSTEM\VritualRoot\*). These two IoC shows that malware was blocked by modern protection.
Very similar to another security product with different IoC.
Indeed, we can be more transparent (thanks for the idea!) and add an all IoC to the Table Results.
I hope, everything is clearer now 
Take a look at the March 1 base dump: Comodo stopped Level 2 malware in quarantine.
And another screen - malware is stopped by aut-sandbox (Level 3).
