I fear that this is becoming a wild goose chase. I believe it is time to stop and rethink what problem it is that we are trying to solve. The basic problem is that there are unreliable anti-virus products in existence. I have been investigating and came across the site:
"With AV testing it is important to measure not only detection capabilities but also reliability – one of reliability aspects is certainly product’s tendency to flag clean files as infected."
"False alarms can sometimes cause as much troubles as a real infection."
We have a certificate for digitally signing BlackBox don't we?
"A digital signature, also sometimes called self-signed certificate, is a way for a software, application, or plug-in publisher to verify the authenticity of its own code when provided for download.
If so we should be distributing the software as a signed installation file. As long as that is stated on the website and a statement that the product has been passed by a named reliable AV product (or two) that should be sufficient to allay the fears of the average user.
If there is also a desire to distribute the software as a zip file or whatever then the users who choose to go that route would not be so easily put off by false alarms and assume the risk. A hash of the entire zip file should be sufficient.