Is it that old? It's from a few days old pack from VirusSign. AFAIK they include files that have been recently cought with their honeypots or whatever - or maybe they are files uploaded by users. In any case they should be files that are currently in the wild. Yes, the conres.dll was created while real-time protection was enabled, of course. Wouldn't make much sense to test stuff if it is disabled. Since it was written and scan-at-write or how that's called is enabled as well, it should have been detected and blocked from being created, but it's always there when I execute a Floxif file. I don't know if he file does anything malicious, but Virustotal shows like 50 hits or more, so I would expect it to be removed by WVSX.