I did this test to prove and make a point to Aigle. I had to shut off my trusty NOD32 to run this test but D+ kicked in and did its job by alerting me twice. Once for the explorer.exe alert and the other one about trying to modify a file. Screen shots don't lie.
to be honest, i'm not sure what point this proves, except that Defense+ stopped the execution of the file. aigle's screenshots show eqsecure detecting the installation or loading of drivers from the trojan. this behavior based blocking is completely different from not letting a file run at all. after all, the point is not to stop anything from running, but to know that something exhibits dangerous behavior when it is inadvertently allowed to run. the screenshots don't lie, but they also don't say much
your second set of screenshots show an attempt to "modify a protected file or directory", just like the second screenshot in your first set of screenshots. but doesn't modifying a directory just mean writing a file to it, deleting a file in it, or changing a file already in it? all these actions are completely different than allowing a driver to be loaded.
i can sense a lot of tension in this debate, but there need not be any. the real argument is not whether comodo+ can stop this trojan (it can easily by stopping it from running), but whether it can prevent the loading of the trojan's driver(s) IF allowed to run. all we have to do now is await Melih's response (or a response from someone who has done this test)
Author