Safire Knowledge Base

Malware passed by firewall is the number of malware allowed to pass by the firewall under test.

Malware (malicious software) is any software intentionally designed to cause damage to a computer, server, client or network. Malware does the damage after it is implanted or introduced in some way into a target’s computer and can take the form of executable code, scripts, active content, and other software. The code is described as computer viruses, worms, Trojan horse, ransomware, spyware, adware, etc.

A firewall without an anti-malware function enabled can place high risks on the network security for the enterprise. Thus, performance testing a firewall without keeping its anti-malware engine busy can be invalid. In order to exercise the anti-malware engine, virus injection is used together with the simulated user traffic. The goal is not to test the security efficacy of the firewall but to keep the anti-malware engine busy so that the test result is convincing.

The test malware file used by Safire is EICAR. It is safe to use because it is not a virus, and does not include any fragments of viral code. Most security products react to it as if it were a virus. The file is a legitimate DOS program, and produces sensible results when run.

Safire’s malware test traffic includes 10 non-encrypted and 10 TLS-encrypted viruses, which is sent to the firewall under test together with the legitimate test traffic. To successfully block the non-encrypted malware traffic, the firewall must have anti-malware function enabled. In case of blocking the encrypted virus, the firewall must have SSL decryption enabled too.

The firewall under test should allow no malware to pass. If not, it indicates either the firewall is not configured properly or its anti-virus engine becomes too unstable to work.