This is perhaps not an answer, but is is an explanation of the problem.
Some anti-virus solutions (we have tested against Trend Micro, but I am sure others do the same - though not all), monitor the client's web traffic and then scan the requested URL in order to build a 'web reputation' profile. Trend Micro call this their Web Reputation Service (WRS)
Things I have discovered about this service from a web server perspective:
- The request URL will be exactly the same as the originating URL
- The request IP address will be from a Trend server, not the local client IP address
- The request will, of course, create its own session
- The request may be within a few seconds of the original request, or several minutes later
All of the above make it very difficult to detect one of these requests and handle it differently (which is obviously the idea).
In summary, if you a running a public web site and your workflow logic relies upon the expectation of singleton relationship between user and request, you probably need to redesign to a more resilient pattern such as PRG.