ESS 5.2.15.0 Allowed .zip with payload

I know there's a procedure for submitting suspected files to ESET, but this one's a bit perplexing and I'd like to get your feedback.

First a little environmental info:
XP SP3
Thunderbird 17.0.5
ESET Smart Security 5.2.15.0
Virus Sig 8230 (20130415)
Email Client Protection for Thunderbird ENABLED

A client received an email containing a small zip that purportedly contained "faxes". Fortunately the client was seasoned enough not to open the zip. Instead he forwarded it to me.

I submitted the zip to http://virusscan.jotti.org where ESET positively identified the file as containing a virus "ESET 2013-04-15 Win32/PSW.Fareit.A".

Here's my problem... the ESS installation on my client's computer didn't pick up the infection until I attempted to unzip the executable it contained.

Is that normal? It seems that ESET should have intercepted the ZIP file attached to the email prior to it making its way to my client's inbox.

 

As far as I know, yes, it's normal; the realtime module doesn't scan archives until they're extracted. Archives are considered harmless, and once they're extracted the realtime module kicks in and detect any threats.

 

Thx for the feedback.

 

You're welcome.