CIS6 and MBR protection

MBR rootkits seem on the rage. How would the new CIS 6 with Proactive settings and fully sandboxed-virtualised react to a Zeroaccess or TDSS rootkit attack?
In other words, is the MBR protected from these attacks by CIS or do we have to add some other specialised program?

Hello! From what I know CIS does protect the MBR. You don’t need to add anything else. If I’m wrong can anyone please correct me? Thank you.

As far as I know nothing should be able to bypass it and infect the MBR. Can someone please correct me if I’m wrong as well?