By the way, at page 20 they wrote
The exception of this rule is also Comodo software, which has implemented a local sandbox mechanism and unknown files scanning in the cloud, both ensuring that running unknown applications and scripts (.ps1, wscript.exe, .vba, .cmd, .bat, cmd.exe, .pl, .pdf, powershell.exe and others) won't access a network so they won't do any serious damage to the system
They tested CCAV v1.10, while the option to block internet connections to sandboxed apps was introduced in v1.11.
So, I think that CCAV v1.11 or later will get at least the same results of CIS