Please see my existing discussion at:
https://forums.comodo.com/empty-t20715.0.html
From looking at some nasty pests and when they load, it appears they start before Comodo’s firewall is even considered to start during Windows startup. That is, and as examples, programs listed in the BootExecute and WinLogon event registry keys are loaded before CFP is started. That means there is a window of opportunity in malware (or even with goodware but which you want to restrict network connects or access rights) to run before CFP could block it. The firewall can’t block the connect because the firewall hasn’t even started loading yet (although I mention a possible technique in the other thread to kill networking until the firewall has fully loaded). The HIPS function cannot restrict access rights to the program because CFP hasn’t been loaded yet.
I’ve used other firewalls that had an option to disable networking until the firewall program got loaded; i.e., they provided boot-time protection. CFP doesn’t seem that have that level of protection or it is not documented. For HIPS, CFP cannot restrict access rights to anything until it loads, and since CFP loads as an NT service then it loads too late to control boot-time programs.