Thank you for the reply, but that does not match the behavior that I am seeing.
Using the Keychain Access app, I can see the CA certificate for my firewall alongside the Avast trusted CA as a certificate in the System Keychain.
With Avast active, but the web shield disabled, I can load a URL and see the certificate chain by clicking on the lock icon in the URL location field shows my firewall generated certificate, an intermediate CA, and the root CA which corresponds to what is in they Keychain.
However, when I enable the Avast web shield and shift-reload the URL, the chain is not a chain at all and just shows the Avast untrusted CA certificate.
Is there a way to trace the Avast web shield to see what certificate authorities it knows about?