Re: The revelation...
My guess is that even if it hooks CreateProcess(), it will later use file functions separately to open and read the file. If you can spot who is asking to read the file, and pass different data. it will work.
Otherwise the data loaded by CreateProcess() should be first sent to the AV - but CreateProcess() may not read the whole file - i.e. resources may be loaded on-demand by application code, thereby an antimalware solution may need to read the file separately anyway.
Of course it's much easier to perform the trick on SMB than locally (you would have rootkitted the local machine already to perform that).