This thread is becoming quite bloated but that only demonstrates that topics like this are popular here. Which is a good thing.
While we appreciate the suggestions, we still somewhat believe that we're reasonably competent to design the protection features on our own. That is, while we value your feedback, we see that lot of the stuff discussed here isn't really applicable because internally, things work little bit differently - or we just doubt that the outcome of implementing these changes would be good.
Anyway, maybe it's a good time now to share some of the upcoming avast product plans with you (at least those changes relevant to this thread).
Avast 5.1, due next month, will not really have any meaningful differences besides improved malware removal/cleaning (I mean, it will have quite a few new features - such the 64-bit boot time scan and new stuff in the Behavior Shield - but none of these features are that related to the topic of this thread). V5.1's main feature is the central administration (i.e. a feature not really interesting to end users) - and it will also be marketed this way (as a corporate product, essentially).
Now, with Avast 6.0 (which is coming sooner than you may think), it's a different story. Avast 6.0 will feature the in-the-cloud heuristics based on the age/prevalence data (as suggested above by sded) as well as new stuff related to the use of our sandbox. But, instead of using the "default deny" paradigm that Comodo is trying to advertise so much, avast will work differently. It will rely on its heuristics engine to make decisions whether an executable file should run sandboxed or not. Let me explain this in a bit more detail. Currently, the outcome of the scan is pretty much binary - either the file is called "clean" (and is allowed to run), or it is flagged as "infected" (and appropriate actions are applied - and the file isn't allowed to run). This also applies to heuristics detections. Now in avast 6.0, the outcome could also be "potentially infected, use extreme caution" and this case, when talking about an on-exec scan, will (by default) be handled by sending the file into the sandbox. If the program is legitimate, it has a good chance of running OK inside the sandbox (and of course you, as a user, can always override the decision and run it normally). And if it's really malware, avast has just saved your butt.
There are many other minor things that make up these changes (such as further emphasis on the Behavior Shield when making these heuristics decisions, i.e. taking into account full context info) but this is, at a glance, how it's going to work. What may be of special interest, also, is that this is how it's going to work even in the free version (which means that the core functionality of the sandbox will likely be moved to the free AV).
Thanks
Vlk