Hi!
I think, I am aware of how it works, now. I just disagree with the "very small chance", that two different companys are are getting the same malicious documents in a small time frame.
Example: Malicious mails start to use more and more "links" instead of "attachments". The links are dead within the first minutes to avoid to be detected by gateway-scanners.
In that case, I would wish to get the update via live-grid directly, when any installation with EDTD detected the downloaded file.
About confidential samples: It would be sufficient to share the hashes of all malicious files.