>>>>>>>Any Trend Micro anti-malware users here ... ?
>>>>>>
>>>>>>Some of my clients use it.
>>>>>
>>>>>How do you feel about the way it gets Trend Micro Japan to re-download whatever files your clients download from the sites they visit when the phishing filter feature is turned on (which it is by default)?
>>>
>>>
>>>>I haven't seen anything like that, but if it's behaving as you say, it sounds like a bug. Your best bet wis ould be to contact their tech support and/or support forums.
>>>
>>>This is no bug. This is how their phishing filter works by design. I have verified at several clients and tested with unique file names. This thing monitors files you download, sends the url to Japan ip address range owned by trend micro which within minutes redownloads the file. It is part of the phishing filter. There are google search results for more info...
>>
>>I took a quick look at the URLs in your other post. It looks like Trend has chosen to architect that portion of their suite to run user Web requests through their "reputation" servers.
>>
>>I've already said this a number of times on this forum: antivirus is evil. Considering how it hooks into your system, what it snoops, and what it does, it's functionally no different from malware. If you run GMER on your Trend-equipped system, you'll see it reports one of the Trend components as an installed rootkit.
>>
>>So, don't be surprised to see AV products doing all kinds of unexpected and unwholesome stuff. If you don't like it, turn off the feature, or use a different product - or none at all.
>
>Hi Al.
>
>We dont use Trend Micro. We discovered this because Trend was re-playing URLs which were created uniquely and specifically for some of our clients. They downloaded files from our server which they had no right or permission to. Clients have no idea about this feature. I have been in contact with the IT company that supplied the clients this product and they didnt even know about it.
>
>I agree that AV products are bad - there is a serious conflict of interest going on plus the fact that they will always be behind the malware curve anyway. Better to have educated users rather than rely on questionable tools especially ones which download files behind your back. But it is big business.
>
>By the way, this is so bad that we even found Trend running client unique URLs in emails we sent to certain clients in tests. i.e. they scan the email for URLS, send the URLS to Japan, and run the URL to see what happens ...

How very special. Sounds like they got the idea from one of those Russian banking Trojans. I was going to remark that you're going to have to make your client-specific URLs single-use, but even that won't work, because in the e-mail case Trend would be using it first :( I can't think how you'll reliably fix this issue - maybe some sort of reverse DNS lookup for each request? What a PITA.

>Do you think GMER is a good product? It is rated very highly.

I'm no expert, I've used it a few times while removing malware to see if there's a particularly nasty rootkit that needs to be unhooked before running ComboFix.