I still don't understand what you mean, but I will try to guess...
1. AV software incorporates both static and dynamic identification methods usually; static analysis can include checksum hash detection and the static heuristics (generic detection through bytes in the PE compared to a database for byte detection, scanning of the Import Address Table, checking the PE File Header for suspicious characteristics, etc.), whereas the dynamic analysis can include logging the behavior of the running sample to catch out suspicious/malicious behavior to help it determine whether it should block the sample or not.
Static = without execution (so on disk "as-is")
Dynamic = during execution
2. AV software can detect if a program is going to check for signs of a virtual environment through byte detection as long as the sample is naked (e.g. no packing/obfuscation otherwise that would be bypassed) however this would cause FPs since some genuine software does this too, however it can also do it dynamically although it seems the vendors don't bother checking this dynamically...
Maybe that helped?
