I've had similar problem with our Trend Officescan product. Officescan randomly quarantined some ThinApp entry points as "MAL_BANKER" which according to their website (http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=MAL_BANKER) is a generic name for suspicious activity. I couldn't find a rhyme nor reason as to which entry points were quarantined and which weren't, but I found that if I didn't compress the ThinApp then the antivirus didn't squash any of them. I finally found this in the Trend server config:

IntelliTrap
Virus writers often attempt to circumvent virus filtering by using real-time compression algorithms. IntelliTrap helps reduce the risk of such viruses entering the network by blocking real-time compressed executable files and pairing them with other malware characteristics. Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider quarantining (not deleting or cleaning) files when you enable IntelliTrap. If users regularly exchange real-time compressed executable files, disable IntelliTrap.

IntelliTrap uses the following components:
Virus Scan Engine
IntelliTrap Pattern
IntelliTrap Exception Pattern

Disabling that "feature" seems to have solved our problem.

Read more at: http://communities.vmware.com/message/1494575