LOGBOOK

HELP

Quiz Entry - updated: 2026.07.06

When the firewall blocks the EICAR download over HTTP, the threat log shows the action reset-server. What does that mean for a TCP/80 connection?

reset-server means the firewall sent a TCP RST toward the server, tearing down the connection so the malicious download cannot complete.

Firewall matches EICAR in-flight and injects a TCP RST toward the server, tearing down the download.

* reset-server injects a TCP RST toward the server to kill the download. *

HTTP runs over TCP (port 80), which is connection-oriented. To stop an in-flight transfer, the firewall can't just "drop" silently and leave both ends hanging — instead it actively injects a TCP reset (RST) packet. Variants of the action:

  • reset-server: RST sent toward the server side of the connection.
  • reset-client: RST sent toward the client.
  • reset-both: RST sent to both ends.

The result the user sees: the wget/download fails with an error, because the connection was forcibly closed mid-transfer when the EICAR signature matched.

Why a reset and not a silent drop? A clean RST ends the session immediately and predictably, rather than letting it time out — faster failure, clearer behavior.

Tip: Reset actions only make sense for connection-oriented protocols (TCP). For connectionless UDP there's no connection to reset, so the firewall just drops.

Go deeper:

From Quiz: INTROL / Firewall Advanced Lab (Lab 6) | Updated: Jul 06, 2026