When the firewall blocks the EICAR download over HTTP, the threat log shows the action reset-server. What does that mean for a TCP/80 connection?
reset-server means the firewall sent a TCP RST toward the server, tearing down the connection so the malicious download cannot complete.
* reset-server injects a TCP RST toward the server to kill the download. *
HTTP runs over TCP (port 80), which is connection-oriented. To stop an in-flight transfer, the firewall can't just "drop" silently and leave both ends hanging — instead it actively injects a TCP reset (RST) packet. Variants of the action:
- reset-server: RST sent toward the server side of the connection.
- reset-client: RST sent toward the client.
- reset-both: RST sent to both ends.
The result the user sees: the wget/download fails with an error, because the connection was forcibly closed mid-transfer when the EICAR signature matched.
Why a reset and not a silent drop? A clean RST ends the session immediately and predictably, rather than letting it time out — faster failure, clearer behavior.
Tip: Reset actions only make sense for connection-oriented protocols (TCP). For connectionless UDP there's no connection to reset, so the firewall just drops.
Go deeper:
TCP reset attack (Wikipedia) — how a forged/injected RST tears down a live TCP session.