Today I downloaded a program update installer. As soon as the download finished I got the usual NIS (21.1.0.18) pop-up that said it was analyzing the file. Then a message came up saying the file was suspicious (I forget the exact wording) and had been removed. This didn’t surprise me too much since it was just released and thus would have virtually no reputation built yet.
But then I was surprised to see the program’s install dialog appear. So I looked in quarantine, and it turns out what NIS had *actually* removed was a *5-month old* version of same program installer. (I often save old install files for awhile in case a new version is buggy).
Very bizarre. NIS was NOT doing a system scan (either idle or manual) at the time (and even if it had been, the timing would have been extremely coincidental). The file that was shunted to quarantine is labeled as WS.Reputation.1, detected by Download Insight. Probably a false positive, but that’s not the issue here (I’m happy to delete that file at this point even if it *is* a FP). The question is why, and how, NIS instantly located, flagged and deleted a 5-month old version of the file while it was supposedly checking out the just-downloaded new version (which, BTW, Insight gives a “new” but “good” rating when scanned manually)?
Any ideas?