@ Loominal
The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn't had a definitive detection.
However, the FSS/AutoSandbox checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.
Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean and of course that you intentionally initiated the program.
If you check the attached image (click to expand), you will see the sort of thing that the autosandbox is checking for. Now some of those things can be adjusted as a result of updates to the generic/heuristic signatures, which could explain the reason for old programs subsequently being pinged. I also believe that the behavior shield information on that file may also be used by the autosandbox to arrive at the decision to allow or 'recommend' and it is just a recommendation, to run it in the sandbox.
So there is a problem with a shield/tool that is essentially trying to detect unknown/zero day malware and the balance between being too aggressive or too relaxed to be effective in detecting these unknown/zero day items.
Also see - AutoSandbox – why are you annoying me?
https://blog.avast.com/2012/03/20/autosandbox-why-are-you-annoying-me/