>> How can I trust any executable at all, when there are so many confirmed false positives reported?
That's an excellent question. The unfortunate answer is, you can't.
Thing is, anti-virus companies purposefully make it hard to report false positives. Some companies don't even acknowledge reports of them at all. But there's a twist - the false positives are never given for the software of really big software corporations (microsoft, adobe, oracle etc.) because they know those corporations have the legal firepower to wipe out an antivirus company in the courts if they so choose.
But smaller developers and developers of freeware or free software are SOL. Why you might ask? It's simple: more false positives makes their software look more useful. Most average, non-technical users have no way of knowing whether a virus warning is a false positive or not, so the AV companies know the majority of users aren't likely to complain. And more warnings/actions from the AV software gives the impression that the software is "doing its job".
Of course, you can avoid all this by using an OS that doesn't require silly antivirus software. An OS where the security is built into the system instead of outsourced to a 3rd-party band-aid solution which you have no idea of knowing what it does with your computer. Personally, I haven't used an antivirus software for a year and I haven't caught a single virus or malware.
That's a lot of work for no real gain. Certainly you can put these sorts of infections into VMs to see what they do (that's how they're researched in the first place) but unless you have a fairly specific setup looking at the memory and processes you likely wouldn't see anything happen.
If you're concerned about false positives then either get better AV software or ignore them.
I have had 2 trojans before, and both of them worked pretty immediately. One installed a redirecting proxy on my browser, the other was a rootkit virus that destroyed master boot record and erased my system partition. The first one I was able to defeat pretty easily. The second killed my OS(obviously) and the absence of MBR classified all 420GB of stuff on the data partition as "non-existant files".
Fortunately the virus was stupid. Because it killed my OS before any pesky auto-defragmenters or indexers were able to mess around with the "free space" that the MBR tampering had created. Therefore, about a year later, I was able to use a certain Linux distro to restore every single file that the virus had deleted.
Anyway, I just want to be sure that starting up some program doesn't try to install a full-screen toolbar on my browser, or redirect every folder I open to cp sites using automated Internet Explorer scripts or something.
Any good AV software will stop the virus on execution and won't give false positives. You said that your was giving false positives, which leads me to think that you know they're false positives. If you're unsure, then it's a gamble for you in the long run. Things in a VM won't nessesarily show the same behavior in that virtual machine, especially since hardware and OS are emulated differently than your actual PC. Depends on the specific VM you're using. The sandbox-type programs will offer you some protection but in reality, anything that was going to get around your OS protected memory is going to get around those.
Point is, if your AV software is worth having then you should be able to run just about anything without worry. If that's not the case, then you need better AV software.