Nothing wrong with Kerio, it’s one of the finest firewalls.

@dolphins, when Kerio alerts, look at the bottom - you need to make a permanent rule for this application - but don’t include the remote IP since the server changes. Make sure your rules sequence is ok - it might not be since you say you allow the update and it still won’t run. But I suspect your problem is with the child executables.

The main problem is what happens after when the new file comes in.
Outpost, OnlineArmor, Sunbelt, any GOOD firewall, sees a NEW EXECUTABLE. By design it must ask for permission.
Since Avast gives those new child executables a different filename, such as
c:\Program Files\AVAST Software\Avast\Setup\fec4d8ce-99fb-4ea5-8a09-f19dcf12eb20.exe
c:\Program Files\AVAST Software\Avast\Setup\629ce6f5-9888-4934-b71d-7fbd07ed0dea.exe
the good firewalls must alert, even if something like trusted app (avastEmUpdate.exe parent) is permitted.

This has been discussed, and dismissed here as firewalls’ fault. Few discussions worth reading (and there are many more on this forum)
http://forum.avast.com/index.php?topic=126731.0
http://www.outpostfirewall.com/forum/showthread.php?27540-Avast-9-emergency-update-exe-files

All we need is an invariant filename.