I know we've been over this before, but I have to raise the alarm again. I have a running copy of ESS 4.0.467 with current definitions 4989, that got another drive-by download of ave.exe. This particular version is detected on VirusTotal by Symantec, F-Prot, and Avast! among others, but not by ESS (see ~Virus Total link removed per Policy.~ for report). In this case the user in question must've hit an infected site he found thru a Google search. He swears he never saw a popup; he's running IE 8 on a fully-patched XP SP3, and he is NOT and admin-rights user (or even a power user). This is a true drive-by download, behind a corporate firewall (though no proxy), and his first indication of a problem was when pdf files wouldn't open in Acrobat without throwing a weird error on the screen (which, sorry to say, I forgot to record). I have submitted the sample to ESET (hey Marcos), but the broader issue remains: ESS is dropping the ball rather badly on rogue AV programs which display remarkably similar behavior. All of the snarky clean computing comments aside (and I know they're coming), our security software should do better than this. I just bought 135 licenses of the &^%$ thing, and I'm getting pressure from higher-ups for having sold them on an inadequate product. It's high time the development team take this recurring threat seriously instead of engaging in the usual "nobody's perfect" and blame-the-victim games.