Why comodo IS detects a file as malicious only after I run it?

Hi, I decided to try ComodoIS v4 and I found it very good. So I download a trojan to test the sandbox. Comodo antivirus did not detect the file when i downloaded it, neither when I scanned it. But when I ran it, just after the sandbox alert, a windows came up showing that comodo antivirus has been detected it as trojan.
Does comodo scan furthermore when the file is being executed?

 

Probably because it's on stateful config?

Try changing the AV to On Access and see

 

Maybe because it's unable to unpack/decrypt the .exe and finds the signature when the file gets decrypted in runtime.

 

Can you post a screenshot of a detection popup? I'd say it's an in-memory detection (like BOClean used to work). There is certain malware that only gets detected on runtime...

 

I think that it's a classic detection popup.
Unfortunately now it detects it when I download it, although I haven't change it from stateful to on-access setting.
But yesterday I repeated more than 15 times. I was downloading without an alert, and I was scanning it with right click->scan with comodo and it wasn't finding anything. Only after I run it.
I think that it's not about stateful or on-access. Maybe risl is correct, but I don't know how exactly comodo works

 

Hi it might be the memory scanner(BoClean) which is detecting the trojan.