CIS only trusts certificates of companies that have been vetted by Comodo.
That would make an interesting hardening.
The Xcitium client, CIS professional brother, keeps an eye on loading of .dll files and it would with default settings not allow loading of unsigned .dll files by allowed applications. That caused too many false positives because lots of legit applications will load their own unsigned .dll files. Hence the default in Xcitium was changed.
Decimatech unearthed an old comment from egemen (the original developer of CIS) commenting on dll loading: