It's also how machine-learning based "malware detections" work - they don't run in real time on users computers so you can create a fresh executable and it won't be flagged but once enough users run it and their anti-virus software uploads it will get scanned and receive a made-up virus name (and this can and often does happen even if the executable is not malicious).