You would need to add a comment why this zip is placed there for download…
McAfee is in charge of this, not GWT, since it’s correct code and a bad virus scanner…
I think the only hope for Vaadin.jar would be to find out which component uses <embeded src=… and look if there is way to work arround this.
Or perhaps this is something coming from GWT itself, but then other GWT based downloads should show the same false positives…