Emsisoft Anti-Malware is very focused on behavior blocking. Behavior blockers in general can't be tested with leak tests like the Zemana test for example. You could even argue that a detection of such tools by a behavior blocker is a false positive. While HIPS only care about whether or not a certain API was called or a certain action took place, behavior blockers care a lot about the circumstances and combinations of events.
From a behavior blocker's point of view the Zemana leak test is nothing like an actual keyloggers. To name just a few things:
- A keylogger is usually invisible to the user. It doesn't have any GUI or a tray icon. The Zemana leak test though does have a GUI to display what was logged.
- Keyloggers also usually install themselves in the system and make sure they run automatically during boot. This leak test on the other hand is just started by the user. It doesn't install itself and never adds itself to the autoruns.
- Just collecting what you type alone is not very useful. Keyloggers always have mechanisms that allow them to save what you typed or to send out what you typed through the network. Leak tests usually don't do that.
- Keylogger executables often "look" fishy. No icons, no version information, no digital signatures, usage of obfuscators and packers. Leak test executables on the other hand usually have a nice shiny icon, have proper version information and some leak test providers even signed their leak test.
So when a behavior blocker sees the Zemana leak test call the SetWindowsHookEx API for example to install a window message hook it will notice that the application has the capability of logging keys, but all other aspects of the application point toward it being legitimate and not a keylogger, so it may decide not to issue an alert about it just yet.