1. I use Agent as my mail-client. It doesn’t do any preview or in any other way open attached files until they are saved to disk. So when someone chose to open the attachement it was saved to WINDOWS\TEMP, and that triggered avast! (as it should). After an attachement is saved then the mail-program will try to execute it. But we should have gotten this far, should we. As avast! was triggered when the file was saved. And even if it got saved it should trigger avast! when it was opened again too (I scan on both “write” and “open”). So to start it had to get passed TWO times (if the file was not allowed to be saved AND open even after avast! showed the warning).

  2. The “Delete” option DID NOT work. It just gave an error message (because by then the file had been executed and was locked). But how could it be exectuded WHILE avast! was showing the virus warning and no one cliked anything.

  3. Mail-scanner might be nice, but it will only stop mail coming through a configured pop3/smtp client. My girlfriend use web-mail. And then this would have happend anyway if se clicked an executable attachment (it would first be saved in “temporary internet files” and then run from there. And if the same had occured then it would not have been stopped.

I’m not trying to be unfriendly towards avast! I’d just like to figure out how the virus could start when the file was BOTH saved to disk AND THEN opened from disk (to be executed). avast! shoud have stopped both those operations, right?

Only explanations I have is that the saving and opening for executions continued in the background while avast! was waiting for us to choos an action in the virus warning box. An that scares me - every file i/o should be stopped then.