Something that evolves firewall and CIS in general

The CIS 5.9.2 found and cleaned my pc pretty well from a rootkit. But what i am questioning is why the firewall did not prevent it from installing in the first place and into my ROM? It turned my Kaspersky av off but it did not harm comodo, and then a blue screen came out.You have gave us the opportunity by the way to have and other av on that is very good but it should trouble that it did not mess with CIS(the rootkit i mean).