I think it can be justified. It's not common, it's known as being one of the more crude methods of detecting malware -- but hey -- we use what works and what fixes peoples machines. That is why it is in use by some vendors today.
Here's an example:
Some companies block anything named 'svchost.exe' that isn't in system32. Create a txt doc and name it svchost.exe and drop it on your desktop and some antivirus software will detect and remove that item.
Why? Because there is no good reason for someone to have svchost.exe anywhere other than SYSTEM32 and also because svchost.exe is one of the top 10 most common names for malware. So, at risk of some FP's -- some companies have a rule that simply removes these if found anywhere else.
Here's an example:
Some companies block anything named 'svchost.exe' that isn't in system32. Create a txt doc and name it svchost.exe and drop it on your desktop and some antivirus software will detect and remove that item.
Why? Because there is no good reason for someone to have svchost.exe anywhere other than SYSTEM32 and also because svchost.exe is one of the top 10 most common names for malware. So, at risk of some FP's -- some companies have a rule that simply removes these if found anywhere else.