And yes D+ will block programs from writing files to your hard drive, because it won’t let the program run in the first place unless deemed safe or allowed by your consent. However, from the video explanation here (around 7:05), when running programs in the sandbox, files will possibly be written to the disk, but there is no access to them (they can’t be run). And then next time you scan your PC, the AV will pick the files up and remove them.
But what if I allow a what seems to be “safe” program, and a hacker finds a exploit in it and is able to manipulate it into copying un-wanted files to my hard drives, theirs no way I can get comodo to stop that?
You would get an intrusion alert from the firewall because the hacker would need to connect to your PC in some way. And even if they were able to get through, you would get a D+ alert if something/someone tried to modify/access that “safe” program.