I just had something very interesting happen, seems very clever but simple enough...
Wednesday night the weekly Full Scan grabbed a couple of false-positive files from a CADD application on a few of the engineering computers. I saw the alert emails (which STILL don't identify the computer OR the files!!!!) on Thursday morning, but I certainly had other concerns on that day (Nov 28th, US Thanksgiving holiday for my international friends); I meant to check them sometime over the weekend but forgot...
I got in this morning and went to check into the files, and discovered that the files were all reported as having been Restored on Friday, Nov 29. What? Nobody was here Friday, and I sure as heck didn't do it remotely.
A little more investigation revealed that when the signatures updated to version 7.97.956 on Friday afternoon, the file was immediately restored:
That's really nice. I'm not sure of the exact mechanism, whether it auto-restores files from the quarantine any time an updated signature says they're no longer a threat or if there's a specific trigger coded into the signature update that says "hey, there were false-positives due to virus detection xyz, go re-check and restore any such files".
Either way, that's a nice feature.