Avast behaviour shield blocks when updating Firefox

Last night, I updated Firefox from version 15 to 15.0.1, and at the end of the process, just before Firefox reopened itself, I was notified that the Avast behaviour shield had blocked suspicious activity. I have the behaviour shield set to automatically blocking suspicious activity instead of auto-deciding, on the recommendation of some of the members here. However, now I’m worried whether this signifies a malware presence on my computer (scans show nothing) or if not, whether Firefox has been updated properly (even if I can open it, browse and everything) what with Avast blocking activity that could possibly be of importance to the update process.

This is the specific entry in the behaviour shield report:

07-09-2012 23:49:10 Modification of: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MozillaMaintenance By: C:\Windows\Temp\nsg35DF.tmp\nsExec.dll Via: C:\Windows\System32\services.exe -> Action denied

Well turning the Behaviour Shield to block is going to notify you everytime alot of programs update so it’s best to either set it back to auto decide ( default ) or if you’d like a bit more control then set it to ask.

It is expected that Avast! alerts any suspicious activity when an upgrading of any program. Too many new files. I said alert because like Craigb said it is better to have BS set to ask for more control, or if you want Avast! to decide by itself just leave it in auto-decide.

If you automatically updated Firefox or install the new program from its web page it would be difficult it was some kind of malware. These are my entries when I installed FF 15.0.1 yesterday. Bare in mind that I run XP Pro_86 so the files may not be the same or the location.

07/09/2012 7:43:05 Modification of: \REGISTRY\MACHINE\System\CurrentControlSet\Services\MozillaMaintenance\ By: C:\DOCUME~1\HERNAN~1\CONFIG~1\Temp\nscF.tmp\ns10.tmp Via: C:\WINDOWS\system32\services.exe -> Action allowed

07/09/2012 7:54:40 Modification of: \REGISTRY\MACHINE\System\CurrentControlSet\Services\MozillaMaintenance
By: C:\DOCUME~1\HERNAN~1\CONFIG~1\Temp\nsm19.tmp\ns1A.tmp
Via: C:\WINDOWS\system32\services.exe
→ Action allowed

Now. Did FF install correctly eventhough that file was blocked ? I can not tell, but I would reinstalled FF just in case.

Thanks for the answers. I use Vista. I just set the behaviour shield to ask/alert, and then proceeded to uinstall Firefox via the control panel, and reinstall the newest version (from a download directly from the official site). I received alerts both when unistalling and installing, and chose to allow the activities:

08-09-2012 17:32:45 Modification of: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MozillaMaintenance By: C:\Users\Jonathan\AppData\Local\Temp\~nsu.tmp\Bu_.exe Via: C:\Windows\System32\services.exe -> Action allowed 08-09-2012 17:35:20 Modification of: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MozillaMaintenance By: C:\Users\Jonathan\AppData\Local\Temp\nsxCF44.tmp\nsExec.dll Via: C:\Windows\System32\services.exe -> Action allowed

Now, this is an Avast user forum and not a Firefox user forum, but I hope this seems familiar and benign to Firefox/Vista users examining their behaviour shield logs.

Edit: I just tried uninstalling/installing the same way again, but this time with the behaviour shield set to auto-decide, and the entries are identical (exept the temp folder which contains the nsexec.dll file is named differently):

08-09-2012 17:49:38 Modification of: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MozillaMaintenance By: C:\Users\Jonathan\AppData\Local\Temp\~nsu.tmp\Bu_.exe Via: C:\Windows\System32\services.exe -> Action allowed 08-09-2012 17:50:10 Modification of: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MozillaMaintenance By: C:\Users\Jonathan\AppData\Local\Temp\nsdE766.tmp\nsExec.dll Via: C:\Windows\System32\services.exe -> Action allowed

My guess is if you had kept the default Auto-Decide setting, you wouldn’t have heard a peep from the Behavior Shield. Sometimes is best to leave the settings to where the smart guys set them.

The Mozilla maintenance service introduced in version 15 used by Mozilla to bypass the UAC, so that’s why it was flagged. If you set it autodecide, Avast will decide it is ok and let it through, if you set it block then it will consistently block the action. You can uncheck “Use a background service to install updates” found in Firefox options menu, if you don’t want to deal with it and make Firefox update like prior versions.

http://support.mozilla.org/en-US/kb/what-mozilla-maintenance-service