lucy24 - 11:22 am on Sep 18, 2011 (gmt 0)
If the site is not already in the dangerous list (and while your http request is still blocked), the URL is sent to the Trend server for a second check. The Trend bot fetches the URL and scans the result for malware. If the data is clean, Trend sends an "Ok" message back to the user's AV program. And the AV allows the browser to proceed with sending out its http request for the URL.
Yes, that makes perfect sense. It's the behavior you would expect of a virus-sniffer. And, given the hiccupiness of the logs, arriving a second before or after the human visitor isn't significant.
It's when their only visit is anywhere from two minutes to an hour and a half after the human visit* that I'm scratching my head. Wouldn't they have to live in your router to do all that pre-testing while being perfectly invisible in the logs?
* The pages that caught my attention were temporary, private pages. You could literally count their human visitors on the fingers of one hand, so there's no doubt about which specific human triggered the virus snooping.