I hope you can appreciate that if we go that route, then there's not much that's going to be left for legitimate application developers not to have their executable flagged as malware eventually, if all it takes is a property, that does not qualify as malware per se, to trigger a false positive. That's pretty much the same issue as what we have with the inordinate amount of engines that continue to see the use of UPX compression as an indicator of potential malicious behaviour (instead of just reporting on the uncompressed version of the file). Again, I will reiterate that this is in part why it is exhausting for developers to try to engage with AV vendors, because there's no denying that there's often a strong preference there to prefer "wider nets" over "accuracy of results" (and yes, I do understand where this comes from, since accuracy of results is hard, but when 16 engines are jumping into the same bandwagon and are misclassifying a specific type of build from the exact same source, and not another, I can't help but think that there is definitely a problem that should be fixed there).