Hi, Please at least quit Comodo before testing. "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" is a common registry key that many programs will modify it before connecting network. By default WVSX will prevent IE from spawning a Powershell process, but i can't see this in your screenshots. Maybe it was interfered by Comodo? Poweliks is six years-old malware, we haven't tested the malware yet. According to your screenshot, it appears that the malware has been blocked by memory scanning in the first place. From https://www.trendmicro.com/en_us/research/14/h/poweliks-malware-hides-in-windows-registry.html we know poweliks will create autorun key and inject dll to other system processes. Honestly i don't believe it can bypass WVSX since WVSX will not allow powershell to perform the above actions. Please quit Comodo and then test again. You need to check if the malware has successfully created the autorun entry or injected other system processes. Some virus cleaners hunt for the specific mutex in system to check if the specific malware is installed. However, the mutex may not get released after the malware has been stopped by WVSX. You can download a test file here: https://www.wisevector.com/test.zip You can double-click it in your VM to see if WVSX's behavior blocker works normally or not, thanks.