Why would a firewall policy not block a known virus like eicar?

A firewall policy may not block a known virus like EICAR if it lacks deep content inspection capabilities. Traditional firewalls primarily inspect packets at the network and transport layers, which is effective for filtering based on IP addresses, ports, and protocols. However, to effectively detect and block viruses, the firewall needs to perform deep packet inspection (DPI). This involves analyzing the actual content of the packets, enabling the firewall to identify patterns or signatures consistent with malicious files.

Without deep content inspection, the firewall may not recognize the EICAR test file as a virus, as it would not delve into the packet data beyond basic criteria. This means that even if the policy is correctly configured to block viruses, without DPI, threats that operate at the application layer might slip through undetected, allowing potentially harmful traffic to pass through the firewall.