igor0
3
Simply because it’s less suspicious than to report an ordinary detection, yet more than a normal file usually is.
There is no simple trigger - there are many rules, possibly combined somehow together, that form the “suspiciousness” (and those rules are updated, sometimes daily, just like the rest of the virus definitions).