Unexpected HTTP Requests caused by AntiVirus solutions

Question

I have developed a simple web site using MVC4.

Where appropriate, I normally follow a PRG (Post/Redirect/Get) pattern for my views/controllers, but due to some unusual requirements, I have 'had' to introduce a simple Controller that sends a link, via email to the visitor (for a whitepaper in this case). The controller effectively acts as a service to other pages on the web site.

This all worked well in testing with the controller managing the HTTP GET Requests and sending an email. When we opened a small public trial, several users complained that they were getting 2 or 3 emails instead of the 1. At first we thought this must be a user/interface error, but after more persistent complaints we added some tracing to the controller and found that with some users, the first request was followed almost immediately (<5ms) by a second and sometimes third request.

Yesterday, a bit more light fell on the subject when I tried different AV solutions. It appears, and I can't be 100% sure, that these additional requests seem to be related in some way to certain Anti-Virus solutions. AVG for example, doesn't generate a second request (at least not how we have it configured), but other products seem to produce predictable, multiple HTTP Requests against the controller.

Can anyone explain what might be going on and if it is possible to identify the additional requests from the 'real' request?

Any help/direction would be much appreciated.

Answer 1

This is perhaps not an answer, but is is an explanation of the problem.

Some anti-virus solutions (we have tested against Trend Micro, but I am sure others do the same - though not all), monitor the client's web traffic and then scan the requested URL in order to build a 'web reputation' profile. Trend Micro call this their Web Reputation Service (WRS)

Things I have discovered about this service from a web server perspective:

• The request URL will be exactly the same as the originating URL
• The request IP address will be from a Trend server, not the local client IP address
• The request will, of course, create its own session
• The request may be within a few seconds of the original request, or several minutes later

All of the above make it very difficult to detect one of these requests and handle it differently (which is obviously the idea).

In summary, if you a running a public web site and your workflow logic relies upon the expectation of singleton relationship between user and request, you probably need to redesign to a more resilient pattern such as PRG.