[ynik]

The AV might not be even looking at patterns in the executable code. We've had an issue where we accidentally ran the msys strip tool over binaries compiled with the MSVC compiler. A quarter of the scanners on virustotal went crazy and "detected" our program. The same unstripped program was fine with them. And by "the same", I literally mean the same: virustotal showed that all sections in the "malicious" stripped executable had identical hashes to those in the clean unstripped executable. The only difference was some header bits that were irrelevant to the runtime behavior (I think it was the "linker version" field, and maybe some others).