My response here is not meant to be specific to Emsisoft only, but instead a reply to the general attitude regarding security software at-large - and these lab test reports.
Honestly, I don't see your metric for compromise rate as accurate.
The metric is exactly as AV-C reported it based upon the cumulative testing it performed. I didn't make it up out of nowhere. 3 compromises out of 1955 files. Read the AV-C test methodology.
A user-required action is not a block. Sometimes I see posts on the Malware Hub and it seems that the testers count an user-dependent window as a block (which implied that the system was protected). I can't agree with that! You cannot expect the user to always block the threat.
The test lab does not consider user decisions to be a fail. That's a generally accepted industry practice.
When an alert appears, and the file is prevented from proceeding any further, the system is protected. When in doubt, use the recommended action and quarantine. Nothing is permanently broken.
But in a real life scenario, the user might not have enough information to decide for the block.
When in doubt block and then investigate. This is not difficult and it isn't unrealistic to expect a user to do so. "Better safe than sorry" habits are good habits. In time, a user learns the product and becomes more self-reliant.
The vast majority of users don't avail themselves of the IT security learning resources that security soft publishers make available. And whose fault is that - the publisher's ?
A user should not automatically have doubts that a file downloaded from a website with a good reputation is suspect when a behavior blocker alert appears. That's like constantly worrying that Windows Updates might be malicious. What the real problem is that some users expect a security soft to inspect and tell them every single file is safe - without the user bearing any responsibility in using common sense within the context of what they are doing on the system at the time an alert appears.
This is not ideal, since an AV is not supposed to be a Default-Deny solution.
A behavior blocker alert is not default-deny. A legitimately safe file triggering a behavior blocker alert does not make it default-deny. If you know that a bunch of softs that you use trigger behavior blocker alerts, then you can get them whitelisted and\or make exclusions for them in the product. This is not difficult.
So, what happens is that if an antivirus displays too many alerts, the user may start to question the effectiviness of the AV.
I have personal experience with Emsisoft. I use quite a bit of utilities that generate behavior blocker alerts. Within the context of what I am doing on the system and what is triggering the behavior blocker, it is fairly obvious. I mean it should be common sense for anyone who has used security softs for a while. For example, I run a Dell driver update utility. Every time it is run, it triggers an AMN query and behavior blocker alert. It's common sense that it is safe to always Allow. And if the alert is expanded, the AMN Safe rating is clearly shown. So there is no great mystery nor burden required of the user.
The type of users to which you seem to be referring are those people that are so oblivious and ignorant of IT matters that no matter what security soft is installed there are sure to be issues. The industry cannot do anything about those type users. And the industry cannot fool-proof software. With the current state of technology, the user is expected - and really has no choice - but to learn as they go. Until Skynet comes along, this fact is not going to change. You have to remember, organizations with billions upon billions of dollars at their disposal who have poured billions and billions of dollars into improving IT security have been unable to accomplish what some users want and expect with the current state of technology. If it were that easy, then the industry would have accomplished it long ago.
It seems to me that there is only a small minority of people that complain, because what they unrealistically want and expect is a solution that is fully automatic with 100 % detection under all circumstances, never require any user decision-making, 0.1 % system resource usage, and 100 % compatibility. It doesn't work that way. It is the same old complaints that have been around forever - some users automatically blame a security soft because they don't know what they're doing instead of putting a little bit of effort into actually paying attention and attempting to learn.
False positives are blown out of proportion unless they get out of hand. Out of approximately 2000 files, a false positive rate of 1.5 % or less is reasonable.