When DeepScreen (and possibly Hardened Mode) first came on the scene I can recall it pinging lots of 'old' but legit files even winword.exe and excel.exe executables. Just checked my Settings > General > Exclusions > CyberCapture and both executables are in there now that DeepScreen isn't in those settings.
So I believe this could pick up on some old files (but legit) not yet in its database because they are so old.
DeepScreen is a thing with it's own story. And so is Hardened Mode. I also don't understand the logic behind these two entirely after all these years.
DeepScreen, once it scans the file and excludes it, you can modify that file into the worst virus ever and it'll just happily execute it because the exclusions are unconditional. Once it monitors the file once, it'll just happily execute it freely after that. I don't get it why DeepScreen exclusions don't allow permanent and on modifications exclusions. DeepScreen should be re-triggered when DeepScreen excluded program is modified. But they just don't check this for whatever reason. Been warning about it and never got any reply or elaboration about it.
And same goes for Hardened Mode exclusions. When you run suspicious executables, they get DeepScreened first. Always. But if you use Hardened Mode (Moderate), it get blocked on basis it WOULD trigger DeepScreen otherwise. But it doesn't actually screen it for malicious behavior. What this does is when Hardened mode (Moderate) blocks it and you decide to execute it anyway, it just executes it directly afterwards. Why aren't Hardened Mode (both levels) screened by DeepScreen BEFORE they get excluded? Again, requested elaboration, explanation and a future request for this several times. And it's still not here. New version is planned for January 2017 and with no avast! BETA's, I have no idea what they are doing and if they are even adding any of this.
I've wandered away from the original topic, but all this stuff is connected and it keeps on bothering me why they make all these seemingly cool features and they just never bother to perfect them based on user feedback and security concerns. I value how they take our feedback for many things, but this stuff just seems to be perpetually ignored for some bizarre reason...