If I understand correctly they use samples that none of the AV's have added and then run an On Demand scan to see which one finds the most samples right? I just wish someone had a test to see which AV protects best in RealTime.

iirc, in the retrospective test, the AVs are tested with 3-month old signatures.

its not really practical to test 1 million+ samples against real-time protection. Some AVs also use heuristics/sandbox only after execution so it could be unfair to some vendors.

It's written in test methodology. Only file scanner heuristics are used. Behavior analyzers are usualy tested separatelly (like Kaspersky PDM).