Firewalls can't protect very well against things like viruses or malicious software (malware). There are too many ways of encoding binary files for transfer over networks, and too many different architectures and viruses to try to search for them all. In other words, a firewall cannot replace security-consciousness on the part of your users. In general, a firewall cannot protect against a data-driven attack--attacks in which something is mailed or copied to an internal host where it is then executed. This form of attack has occurred in the past against various versions of sendmail, ghostscript, scripting mail user agents like Outlook, and Web browsers like Internet Explorer.

Organizations that are deeply concerned about viruses should implement organization-wide virus control measures. Rather than only trying to screen viruses out at the firewall, make sure that every vulnerable desktop has virus scanning software that is run when the machine is rebooted. Blanketing your network with virus scanning software will protect against viruses that come in via floppy disks, CDs, modems, and the Internet. Trying to block viruses at the firewall will only protect against viruses from the Internet. Virus scanning at the firewall or e-mail gateway will stop a large number of infections.

An increasing number of firewalls are offering antivirus and malware capabilities. These are applied towards industry standard protocols of email, web traffic, instant messaging, and file transfers, and only on
proxyable services. These are a very small number of protocols out of thousands, and only apply towards industry standards (e.g. smtp must be over 25, web over 80, etc. etc.). Such antivirus/malware firewalls are
of limited use unless your policies state that only industry standards will be followed, and your firewall administrators strictly adhere to this approach. They are not a panacea.

You must also balance the risks associated with the failure of a single component in an all-in-one solution and the ability to compromsie the entire system versus using different platforms for each feature. Lots of malicious software, or malware is packed, encrypted, compressed or archived. Traditionally, software authors have had issues dealing with the changing formats of and recursive implementations of archivers in ways that provided malware authors with more vectors to attack.

Antivirus/Antimalware systems should be defenses in depth--firewalls, servers, and desktops should all be protected, preferably by separate/different systems so that if one can't protect against a
particular malware another might.

A strong firewall is never a substitute for sensible software that recognizes the nature of what it's handling--untrusted data from an unauthenticated party--and behaves appropriately. Do not think that because ``everyone'' is using that mailer or because the vendor is a gargantuan multinational company, you're safe. In fact, it isn't true that ``everyone'' is using any mailer, and companies that specialize in turning technology invented elsewhere into something that's ``easy to use'' without any expertise are more likely to produce software that can be fooled. Further consideration of this topic would be worthwhile [3], but is beyond the scope of this document.