You can check this video:
It looks like the bypass is possible if HIPS is OFF, especially if the malware uses a trusted process to make its action.
Then, there are a lot of settings that can affect the issue:
- Proactive security configuration (HIPS is turned ON by default) is better than Internet security configuration (which is the default configuration when you install CIS)
- Custom ruleset for the FW is better than safe mode because you can get an alert for outgoing traffic even for trusted apps
- Viruscope can be set to monitor not only sandboxed file, but every file (like this you can get control on trusted apps too)