Hopefully one of these years the behavior shield will become developed enough to include a log or report.
There is a long thread that I started in similar vein a month or so ago - however it seems that, despite the graphical notification of BS alert, it is actually the rootkit scan after start-up that is flagging, as DavidR points out above.
In my case the arpot log was at least capable of identifying the file:
09/04/2011 10:20:44 Suspic Driver: \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25641\RapportCerberus_25641
Yup,
I get that message about once a year. The wording should be better and/or the options should be more. Its the Behavior Shield completing it's surface root kit scan, and after 8-minutes, it reports that suspicious file with an Ignore or Delete option. Nothing else, saying to allow the files to be set to the Virus Lab for analysis. I still say that the Delete Options should NOT be there for a suspicious file.
Oh and another thing that I want to ask about this annual issue. Why doesn't the Sandbox kick in if set to Auto or Ask for a prompt on what to do? I thought the whole point of the Sandbox is to have a quarantined special place to isolate suspicious files? Should that Behavior Shield notice of the suspicious file be prompted to go in the Sandbox for "Ask?" Or a notification pop-up that the file is going into the Sandbox on auto? The only time you should see the message you are seeing, would be if you don't have sandbox turned on.
90% of the time, the shield is good, but it just seems that there is this sensitivity that from time to time is generating what, I won't call it a BS alert. But it seems to be a false positive thing. If this Behavior issue came up as a Sandbox situation as it should, it would be better than it is now, and I almost wouldn't care if when that Behavior Shield thing came up, it was treated as a sandbox situation. However, as it stands now, the verbiage on "Ignore" or "Delete" for a suspicious file is too confusing.
This issue needs to be studied by the engineers and improved in future Avast updates.
Jack