CIS allows users to do such things but unknown programs are not allowed to do this.
In simpler terms (hopefully not too simplied), Why would comodo stop it? There's no point in creating self-defence methods to stop a user on your computer from doing that, that would just add useless bloat to it.
To prove a point
Here's an example to try
Go download and install kaspersky or avast
Now go in the options and disable self defense on it and then click apply. It may ask again. if so do it
Now go ruin the AV software now.
Is your goal to control what people do on your computer?? I'm just trying to figure what your goals or what you would like to do.
A good product comparison on malware being able to manipulating the system http://www.matousec.com/projects/proactive-security-challenge-64/results.php?track=1716
also about on there testing methodology a good quote from the same site
Every test has a defined type. Tests of the same type usually attempt to achieve the same goal. Here is a list of the defined types and their goals:
Leak-test: Leak-tests attempt to send data to the Internet server, this is called leaking. Most of the leak-tests from Security Software Testing Suite 64 are configured to use a script on our website that logs leaks to our database by default. For such tests, you can use the My leaks page to see whether the test was able to transmit the data. For leak-tests that do not use this script, we use a packet sniffer in unclear situations. In order to pass many leak-tests, the tested product has to implement various host protection features.
Spying test: These tests attempt to spy on users' input or data. Keyloggers and packet sniffers are typical examples of spying tests. Every piece of the data they obtain is searched for a pattern, which is defined in the configuration file. These tests usually succeed if the given pattern has been found.
Autorun test: These tests attempt to install themselves to the system in order to ensure they will be started again. The most common goal of autorun tests is to survive the reboot. Such a system infection is typical for almost all kinds of malware. The tested product fails the autorun test if the test is able to ensure that it, or its part, code, or action, will be started in the future again.
Self-defense test: This category of tests include various attacks against the security product itself. Termination tests are the first subtype of tests that belongs in this category. These tests attempt to terminate or somehow damage processes of the tested product or their parts. The termination test usually succeeds if at least one of the target processes, or at least one of their parts, was terminated or damaged. Besides processes and threads, the security software usually relies on various files and registry entries. Tests that attempt to remove, destroy or corrupt these critical objects for the security product also belong to this category.
Other: Tests that do not fit any of the previously defined types are of this type. For example, tests that maliciously modify the system can be found in this category.
The types of tests are defined for information purposes only. They do not determine the process of evaluation of whether the test was passed or failed. Each test implements one or more attacking techniques that can be used for various malicious purposes. A test implemented as a leak-test may use a more general technique that can be used to permanently infect the system. A tested product may be able to block the leak-testing part of the test and it still may fail the test because the core technique of the test may be usable for a different malicious purpose. It happens quite often that we use modified version of tests in order to check whether the tested product really protects against the specific attacking technique of the test or is just able to prevent the current test's implementation from succeeding.