Firefox ability to disable some options

Hey,

I keep seeing this message appear on the top of page when I go to options in firefox “your organization has disabled the ability to change some options”. I figured out that it’s caused by “C:\ProgramData\AVAST Software\Avast\wscert.der” Tried reinstalling both avast and firefox and deleting the registry and it was gone but now it’s back. Is that message supposed to be there and if not how do I get rid of that file permanently. I can make changes to my options but not sure what options are the ones that I can’t change

I have that same message.

This may have something to do with FF not updating certificates and disabling add ons. Yesterday, Ublock orgin and many other well established add ons was blocked by Mozilla. I used their Study kluge for the quick fix described below and my add ons returned. My other PC was working fine this AM. See: https://www.bleepingcomputer.com/news/software/firefox-addons-being-disabled-due-to-an-expired-certificate/

FF is supposed to come out with a updated version 66.0.4 today or tomorrow, so we will see if that fixes things.

It is due to Avast using the Policies section of the registry to force their HTTPS certificate into Firefox.

@alanb, thanks for detailing the mechanism of the FF alert. Any insight to the OP’s question about any specific options that are actually unchangeable? Or is this just FF’s generic way of saying that their installed product has unexpectedly been tweaked? I’ve yet to be blocked from changing any common options, but I normally don’t change much anyway. JC.

BTW, the FF updates that repaired the add-ons problem have not affected this issue. I still see the “options” alert in FF 66.0.5 and the add-ons are functional.

The message only appears if one or more policies has been set for the browser. Its wording is less than ideal and the guys at Mozilla are talking about changing it.

There are two ways to set policies for Firefox: creating a “policies.json” file in the “distribution” folder of Firefox’s install location, or creating entries in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla.

The problem with avast doing this (and it is not condoned by Mozilla) is that if that registry key exists at all, the policies.json stops working. As a result I have lost the policies I configured for Firefox.

A royal PITA >:(

The message only appears if one or more policies has been set for the browser. Its wording is less than ideal and the guys at Mozilla are talking about changing it.

There are two ways to set policies for Firefox: creating a “policies.json” file in the “distribution” folder of Firefox’s install location, or creating entries in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla.

The problem with avast doing this (and it is not condoned by Mozilla) is that if that registry key exists at all, the policies.json stops working. As a result I have lost the policies I configured for Firefox.

A royal PITA >:(


@alanb, thanks for the extra info. I was not aware of the policies.json option for organizations to control user mods to FF settings. That explains the wording of the alert for me and why I can still change FF settings.

So while FF and avast “discuss” how certs should be installed and how Registry policies can coexist with policies.json files, it seems organizations can’t lock down FF settings and run avast too. Or is there an avast config choice that doesn’t install that policy in the Registry? For example, if the cert is for HTTPS, would turning off avast HTTPS scanning end up eliminating the FF alert?

So while FF and avast "discuss" how certs should be installed and how Registry policies can coexist with policies.json files
I don't think that will happen - if [i]any [/i]registry policy exists, policies.json will be ignored (by design).
it seems organizations can't lock down FF settings and run avast too.
Not true. Organizations can enforce their policies (via GPO) in the registry. The Avast policy is added: it is not a replacement for any policies already in force.
Or is there an avast config choice that doesn't install that policy in the Registry?
Haven't found one yet :(
would turning off avast HTTPS scanning end up eliminating the FF alert?
Nope - already tried :(

FWIW, here is the link to the Mozilla dev’s comment: https://bugzilla.mozilla.org/show_bug.cgi?id=1541927#c14.

@alanb, One more thank you for even more details. No surprise in the Mozilla link to see AVG called out, too. At the risk of riling up the fanboys, I hope this isn’t a plot to sabotage the competitor of a product that avast tries to (sneak) install during any update of itself or even its own browser product (just speculating). As a longtime FF fanboy myself, I can survive this nuisance, but I don’t know about keeping avast if they insist on more mucking with my fav browser.

Still appears in FF67.

Just noticed it on my Firefox 67.0.1 on my Win 7 Pro 64-bit machine.

I do NOT have a folder C:\program files\mozilla firefox\distribution.

I do NOT have a file policies.json anywhere on my C:\ drive.

In my registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Certificates, the only entry is ImportEnterpriseRoots with data value 1 (appearing as 0x00000001 (1)). There are no entries above that subkey Certificates.

In my FF, in about:policies, in “Active”, I see this:

  [u]Policy Name[/u] 	[u]Policy Value[/u]
  Certificates	 ImportEnterpriseRoots	true

So - is it Avast or not?

If it’s Avast, how is Avast doing this, and what is Avast doing?

I’m not a tech, so please make it simple for dummies. Thanks.

Some additional investigation by others discussed here: https://forum.avast.com/index.php?topic=227348.msg1506491#msg1506491

Seems like, for now, avast is taking advantage of a Firefox loophole to add their certificate in a backdoor way (by Firefox conventions), if I followed that topic correctly.

Or, is Firefox using a back door way of loading their certificates? It all depends on how you look at this subject.