Threat detected

[TheScorpion]

Avast has started notifying me of a possible threat detected by 'heuristic method'.
The suspect file detected is given as   ??\C:\Windows\SiSPort.sys
I have so far selected 'Ignore' as I'm not sure if it is safe to delete. Does anyone have any ideas if this is a false detection or not or how I can find out? Thanks.

[DavidR]

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, investigate as you are.

This is the anti-rootkit scan 8 minutes after boot (yes on rough time frame, see example image) ?

What is your OS ?

It is normally associated with the SIS chipset USB driver. I haven't heard
of any malware that uses this filename but you never know. If your
motherboard uses the SIS chipset I would allow it.

Also see, http://www.online-armor.com/oasis2/file/advanced_micro_devices__inc_/windows__r__2000_ddk_driver/sisport_sys/30955.

So for the time being just Ignore.

[TheScorpion]

Thanks for the reply DavidR.

My op system is windows XP Pro SP3 using Firefox 4.0.1

A search for Sisport.sys shows it in C:\Windows.
It's version is 5.0.2195.1 (not listed in that link you gave)
Windows(R) 2000 DDK driver
Size 3.49KB

Belarc Advisor shows several 'SiS' entries for my computer though none under 'Main circuit Board' (motherboard?)

The warning has come up twice so far - once after being online for about an hour and again during bootup.
Will 'ignore' in meantime and see what happens.

[DavidR]

I don't know why it would come on/alert after being on-line for an hour.
If it is the same avast alert example image that I posted as that is the anti-rootkit scan and only runs at certain times (this isn't one of them) ?

The Sisport.sys may be used by other instances other than the example google hit that I posted.

I'm having a similar occurrence but with a different hidden driver (but I know exactly what it is), so every day for the last three boots (8 minutes after) I get the alert that I ignore. Now information on these alerts/notifications 'should' be passed back to avast using the avast CommunityIQ feature and hopefully analysed and corrected.

In the meantime just keep clicking the Ignore option.

[TheScorpion]

I don't know why it would come on/alert after being on-line for an hour.
If it is the same avast alert example image that I posted as that is the anti-rootkit scan and only runs at certain times (this isn't one of them) ?

Yes, it is the same alert. (although path given as ??\C:\Windows\SisPort.sys)
Seems the alert is popping up now every time at boot up. Have ignored and used the file forwarding function. Hopefully be resolved eventually.

[DavidR]

The image is an example only, so locations, etc. won't be the same; its purpose is to confirm it is the rootkit scan that is alerting.

The rootkit scan starts 8 minutes after boot, so each time you reboot it would alert again until resolved.