Sf detections have been added since several years ago, since the launch of the v5 if I remembered correctly.
And Sf are also detected via normal scanning, at least I saw it around 2011 during malware testing.

So I consider Sf detection are based on Code Emulator. Of course, integration of dynamic binary translation into code emulator is the most probable.