CIS no longer detects shell code injections from buffer overflow exploits, that setting is only used to add application exclusions that you don’t want cis to load the guard.dll into.
When guard32/guard64 is not loaded into an application, then HIPS and containment effectiveness is reduced for that application. For instance, if you add a keylogger to the shell code injection exclusion, you won’t get direct keyboard access HIPS alerts to block keylogging attempts.
In regards to the PoC, it doesn’t matter if the guard dll is loaded into the executable, because cis does not monitor access to the service control manager by default.
For this one, don’t think too much about Settings for Comodo but more for drivers and affiliated Services): also things have to be in place prior to the trigger being pulled which is a great deal more problematic for the malware.
Better yet is not to waste time and obsess on this at all as it is less than meets the eye.
If that setting is only used to add application exclusions that you don’t want CIS to load the guard.dll into, then isn’t your response “What is there to fix when the shellcode detection setting was disabled…” for PoC incorrect?
To be clear did you add *\Device\NamedPipe\ntsvcs to the protected files or protected com interfaces? Namedpipes should be added to protected files. HIPS can block access to namedpipes so it should also be blocked in containment, at least it did on windows 7. If it doesn’t work on windows 11 then it is another compatibility issue that shows cis is not fully functional or compatible on windows 11.