And all the methods fall down in this case, as the issue as people had noted isn't necessarily a 'trojan' in the source code, but the use of a system to detect particular files and upload them.
I suspect many Cloud AV products can be commanded on seeing a particular file signature to upload the associated file and suspect that this legitimate operation can be misused by a piece of shell script in the AV Cloud to request the client to upload all files:
While Client finds files to hash Do
Client to Cloud: Here's a file hash
Cloud to Client: Please upload file for deeper inspection
Enddo
Biting the hand that feeds IT
