It sometimes seems like AV has got paranoid these days and there do seems to be quite a lot of false positives.
AVs look for signature patterns and if they see something that relates to a known pattern then the program will be marked as suspect. Key gens & program cracks are a common FP. The crack itself may be clean, but the AV picks up the pattern that its trying to crack something so it sees it as a trojan. I suppose this then makes it hard for anyone using a crack to find out now if it is a 'genuine crack' or does actually contain a nasty.
I have a couple of network tools which sniff packets that AVs always mark as trojans that I know arent. Anything that does packet sniffing is regarded as a possible threat despite them being legitimate software and why the AV manufacturers have to whitelist them. Wireshark and WinPcap are 2 popular network tools that at one time have been marked as containing viruses when in fact they dont. However those 2 are well known and its not long before complaints get made and the AV company moves them to the OK list.
Cain is another valid program used to recover lost windows passwords, yet even today this will be marked as a virus by some AV software. Anything that 'sniffs' or scans is always going to come up as suspect.
One of the things I had to do for an assignment when at college was write a messenger program. Ive had AVs mark it in the past as a trojan, yet I 100% know that it isnt. To this day I still dont know why it got picked on.
I think if enough users report a suspected FP then the AV company will whitelist it, its therefore harder and will take longer for the less well known program FPs to clear.