With D+ in Safe Mode, and Image Execution set to Normal with executable group added, I cannot get CIS to block Screen Capture Test #4. AntiTest will succeed on that one test every time. Sandbox being enabled for Unknown applications or not makes no difference; the test #4 still succeeds.
Initially I found it in "pending files" even though I'm not in Clean PC mode, so there shouldn't have been any "pending" files.

Perhaps tied to Sandbox being enabled for unknown apps? Not sure.
D+ Logs showed it was attempting to access the following key at the time of the Screenshot Test #4:
HKLM\Software\Classes\CLSID\{A943AF2F-972A-F1C0-0979-ACA3499C5FF5}
So I added HKLM\Software\Classes\CLSID\* to my protected registry files in D+. Then it tried to send a message to CIS, which I chose to block. The test still succeeded.
I even created a D+ rule for the exe, with every Access Right set to Block by default. It still failed Screenshot Test #4.
Thus I concluded that something the app is doing when first launched must allow it to later capture the screen for test #4. Since CIS was not giving any initial popups when I executed it, I set Image Execution to Paranoid, as ss1ctm mentioned. That allowed me to see that it was attempting to access every DLL running on the system, it not only went through the whole list, it tried a few of them twice, even from applications completely unrelated to system operations; it was obviously "looking" for a foot-hold. Without those it couldn't launch or run at all.
All other tests CIS was able to intercept and block when I selected that option, even without Aggressive mode on Image Execution.
To Comodo Devs: Going back a ways, CFP v2.x had settings for DLL injection, which was massively annoying for all users..

Is there some way for CIS to check for that w/o having to be "Aggressive" where we're given an option to Block (or Allow) all DLL injection for an application (rather than having to respond to 50+ popups)? So kind of like one of the Access Rights settings...
LM