The % figures in the report do look valid, considering this extensive test was only done with 82 samples. It is more in line with Real World environment than loading up a VM/Junk pc with a pack of over 200 files.
If we consider the methods used:
Honey Pots
We have a number of Web honey pots deployed over the Web. Through these servers, we were able to detect access by
hackers to Web repositories where they deposit the malware they have acquired. We then visited these repositories and
were able to obtain the deposited files.
Google Search
We searched Google for specific patterns that yield references to small malware repositories. We then accessed these
repositories to obtain samples. We used distinguishable file names we have seen through our honey pot (see above) to
successfully find and collect more samples. Names like 1.exe or add-credit-facebook1.exe yielded good results.
Hacker Forums
We looked through hacker forums for references to copies of malware. Focus was Russian language forums (...)
It is a known fact that AV companies depend on several methods to keep up to date with new infections. However the draw back is the time it will take to release an update to cover the infection in the database:
Methods used are for example:
Cloud technology
Automatic data submission from the user system to it's servers
Honeypots
Dedicated Malware Hunters
Heuristics to flag suspicious files
Submission of samples manually via the solution client
Now if the solution has a HIPS/BB for example, what can be unknown in the actual database should be trigger an alert which in turn communicates with the servers (in theory). But at the same time it should technically speaking, stop the possible infection.
We then have at least one solution that uses the rollback feature. Such feature monitors the process and if "eventually" found as an infection, a scan is done (considering default settings) and it should roll back to the point prior to that specific infection. Unfortunately, such approach is more problematic than a HIPS/BB component.
There are flaws as well on HIPS/BB/Specific methods of protection for example: too much alerts and the users will simply ditch the solution. How do companies overcome such issue? Make it more silent and automated. Unfortunately that comes with a price: Incorrect automatic decisions can be made. An example is BitDefender's Auto Pilot mode. Others choose to enable such component on default settings and then tend to forget it exists or that it has flaws, for example ESET's famous default HIPS settings (automatic mode) as well as the flaw in the Interactive mode ( Interactive mode: Follow the rules. If there is no rule for such action, user will get a pop up to answer (allow, deny and learn rule). If user fails to answer the pop up dialog after a specific time, action will be allowed).
AV solutions vendors should focus more in the deployment and tune up of zero day protection first (HIPS/BB/Heuristics). This unfortunately has not been seen on at least 3 vendors in a course of 2 versions:
*ESET: Since the introduction of version 5, only on the 2nd or 3rd patch they included the one and only HIPS rule: Load system drivers. Nothing has been done in that component since, including on version 6 which has been recently released and still keep the Automatic mode on ( Follow the rules. If there is no rule for suct action, automatically allows its operation.).
*avast!: Since version 7, Behavior Shield is set with Auto Decide, yet it seems non existent. Auto Sandbox was changed from Ask to Auto Decide, yet if an infection is not known to avast!, it will allow the user to run again outside sandbox. Behavior Shield is also required for Script Shield (another protection module) but no mention is made that disabling Behavior Shield will "break" Scrip Shield.
*AVG: Since version 2012, its Behavior Blocker (Identity Protection) has improved but still causes false positives which in turn makes the actual AV solution crash occasionally upon removal. It is to note that although improvements have been made since then, it still happens.
*Panda Cloud AV: Although it contains a Behavioural analysis protection module, it doesn't fully intercept infections (prime example the system I had to recently clean: It intercepted partially 2 fake AV's but system still got infected).