Here is a nice read on how to obfuscate code in a Java exploit on how to make it undetectable by AV vendors: http://security-obscurity.blogspot.ch/2012/11/java-exploit-code-obfuscation-and. html
A tad sad to look at how fast Mcafee is out of the race
I did not write the article, all credit to Security Obscurity.
Interesting read, but the issue with the testing is that product configuration isn't part of the testing. For example, the Script scanner within VSE *may* be able to find the obfuscation and detect the threat. Likewise for other products.