Here is the problem: I have a driver, and a system service which is responsible for installing and updating the driver. The service can install the driver just fine as expected, but when it attempts to uninstall the driver so it can be updated, Avast Behavior shield prompts the user that an untrusted program is accessing a protected resource, and that resource is the “DeleteFlag” registry value that is used internally by Windows to remove the driver service. Shouldn’t this be an allowed operation? An installed system service running under the local system account should be a trusted program, and if it’s allowed to install the driver, it should most definately be allowed to uninstall it. This certainly sounds like a false positive to me, can anyone provide some insight on this? Thanks in advance.
Maybe you can disable the Behavior Shield and uninstall the driver.
Maybe you can give more info about the driver (name of the product, etc.).
The driver is developed by me, and it doesn’t do anything yet. I’m just testing the scenario so I have the automatic update working. Disabling the behavior shield isn’t acceptable because other people will use the sofware. It doesn’t make sense that the system service can install the driver, but cannot uninstall it. Does this help?
Can you send the samples to
http://www.mailonpix.com/images/2ca7d332dfae2625fd83af4eed109c28.gif
?
You can zip and password the files… Inform a link to this thread and the password used.
Ok i sent a packaged up sample including a link to this thread and password for the archive. Thank you for your quick assistance.
Welcome and be used to avast forum speed 
Any progress with the samples i sent? I don’t mean to be a pest but I’m very eager to solve this issue. Thanks again.
You generally won’t be contacted unless they need more information. You can periodically check it (scan it in the chest), there should still be a copy in the chest if it was sent there. When it is no longer detected you can assume the signature has been corrected. Then you can restore it from the chest to its original location.
Mind you if this is just a behavior shield notification it may not be that simple as it isn’t detected by conventional signatures.
That’s just it, it’s a behavior shield notification under a circumstance that should not be intercepted in my logical opinion. I’ve made my point as clear as possible so i guess i’ll have to be patient and hope for the best. Thanks for your input.
You could add it to the trusted processes, avastUI, Real-time Shields, Behavior Shield, Expert Settings, Trusted Processes. Assuming it is a legit file from a legit source and you believe it is clean.
Or you set the behavior shield to Ask, avastUI, Real-time Shields, Behavior Shield, Expert Settings. When it crops up again, you can allow and add to trusted programs, see image example.
I’m just very curious as to why the behavior shield is prompting at uninstall. I suppose the question could also be what is required for the shield to determine a process is trusted.