Complete analysis of the autosandboxed application is done on user's computer. Autosandbox executes a suspicious process in the sandbox and logs every filesystem/registry operations, attempts to inject to different processes/modify system components/install hooks/create a network connections, etc etc. Avast has over 1500+ generic signatures in VPS up to this day (their prefixes are Dyna:, as you can see in VPS release history). One signature usually identifies various malwares, so one malware is also usually detected by several signatures (e.g. for disabling windows update/firewall, injection, etc). We receive only some statistics to see false positives, no. of autosandboxed processes, etc. Binary file is never uploaded to our servers.