AV software is written to pass the tests of AV software reviewers. This is subtly but importantly different from "written to accurately detect and block malware"; in particular, it's extremely difficult for a reviewer to test an AV's ability to block completely novel malware (unless they're a malware author themselves or connected with someone who is). So, people tend to set the AV software to scanning a folder full of known samples and judging the software on how many it detected (this is a nice, easy metric: you can make bar graphs out of it!) - in this situation, if chucking in a signature for C:\windows\SL gives you an easy extra malware detection at the cost of a false positive (that no reviewer's going to spot anyway), it's a no brainer.