This article is from the Computer viruses FAQ, by David Harley D.Harley@icrf.icnet.uk, George Wenzel firstname.lastname@example.org and Bruce Burrell email@example.com with numerous contributions by others.
Firewalls don't generally screen computer viruses, though some firewall
products may allow for virus-scanning plug-ins. There are also
"viruswalls" that scan for viruses at the Internet gateway.
Some such products can scan incoming and outgoing E-mail
attachments, ftp'd or http'd files etc. for viruses. MIMESweeper,
uses yout favourite scanner for scanning the viruses after it has
opened up the E-Mail attachments in a secure area on the hard drive
of the NT machine. Obviously, the on-demand scanner is an additional
MIMESweeper has advanced content filtering abilities which go beyond
its capabilities (with assistance from other software) for detection
of file viruses and trojans.
These products do real scanning before the mail hits the workstation
hard drive but make sure your mail attachments, WWW downloads etc. can't
be automatically executed and use a good TSR/VXD in combination with a
good on-demand scanner.
Note that realtime virus scanning at the gateway can add a heavy network
overhead and probably won't catch as many viruses as checking *all*
files from *all* sources with a desktop scanner.
Current informed thinking tends to be that detection of viruses at
the firewall is acceptable (1) if you can afford the additional
hardware, software and latency (processing overhead), not to mention
the hidden administrative overheads of configuration and policy for
dealing with boundary conditions such as unusual 7-bit encoding formats,
encrypted files etc. (2) as long as you appreciate that it can only be
supplementary to checking at the desktop, not a replacement. Mail
attachments, FTP and HTTP are more significant vectors for virus
transmission than formerly, especially with the near-exponential
boom in macro viruses, but other vectors (especially floppy disks)
are still of vital concern. System administrators are attracted by
the fact that it's easier to update server software than control
the use of scanning on individual workstations, but the fact remains
that in most environments, until the desktop is adequately protected
with good, up-to-date realtime (on-access) scanning and/or scheduled
on-demand scanning, virus scanning at the perimeter is a
For firewall-related information see the newsgroups
or, if you don't mind your mail by the ton, the firewalls mailing-lists.
Marcus Ranum's firewalls FAQ:
Firewalls and Internet Security - Repelling the Wily Hacker
(Cheswick, Bellovin) - Addison-Wesley
Building Internet Firewalls (Chapman, Zwicky) - O'Reilly