I think the “Created/modified files scan” works a little different than you expect. As I already explained somewhere, the scan is performed after the file is written (can’t be reasonably done better) and it’s probably non-blocking (not completely sure about this one - Vlk may have some more info). I.e. the virus warning is rather informative-only in this case.

The other ones (scanning on open/execute) do deny the access to the file, however, so the file should never be executed, if infected.

As I said… I’ll check it later, but I believe the original scanario went a little different than it appeared.

techie: Having unfixed Outlook is bad (though it wasn’t the case here), but I think the executed attachment should be caught anyway, and not allowed to be started.