I’ll refer to this other thread where I didn’t get any feedback from Avast…yet. And I think the issue is important enough to justify an own thread.

Am I understanding correctly that when you run IE9 sandboxed the Web Shield does not detect the .js file but only the File Shield?

no it’s not that: in IE9, sandboxed or not, both shields interfere, as opposed to other browsers where only the web shield does, meaning that in IE9 the webshield is triggered but that’s not enough, there’s still malware going through and intercepted by the file shield.

Now to the sandbox issue: when launching the same link in IE9, sandboxed this time, the alerts are the same >>> noticing that the trojan file, as reported by the alert, was located in C:\user…temp internet files, although IE9 is sandboxed ??? thing is that I’m not sure at all in fact if the trojan was in the sandbox when intercepted at disk level by the file shield or not. Avast reported it was where it should have been if IE wasn’t sandboxed. Could also be a “junction point like effect”…

Thanks. Looking forward an explanation for Lukas.

When you executed IE9 sandboxed, the .js file already existed at the location “C:\Users.…” so that’s why file system shield found that file. I’m sure IE9 virtualized .js file into the sandbox (in fact, I retested it to be sure).

Webshield operates in two scanning modes. Some packed files aren’t scanned during downloading, but they’re scanned when downloading is almost finished. You may download some Gbs of data and it must be stored somewhere - that’s why IE saves it to the temp folder. If the file is infected, internet connection is aborted immediately.

just about this part: the sanboxed try on this infected site was the first try. Subsequent tries were then done with IE, FF and Chrome un-sandboxed.