Would be possible for avast! to detect mailing mechanism in mass-mailing worms so it could detect it even if the worm is not in VPS list?
In that case, MS Outlook would also be detected as a virus (I know, it may be correct, actually
). How do you distinguish "legal" mailing code from malicious? Besides, the mailing code may be crypted or packed by an obscure packer...
And than only checks other factors for EXE like size that usually never exceeds 200KB for such worms,so FP would be very low.
The problem is that "never" is never 100% correct here. First, even if 200kB may be rare today, it won't be in a short future; second, even today there are worms that e.g. append some files/data after their main file - so they can be rather long.