On a firewall that includes antivirus inspection, the device can take different response actions after it detects malware in traffic (for example, in file transfers, email attachments, or web downloads). Block is a standard antivirus action: the firewall stops the session or drops the infected content to prevent the malicious file from reaching the destination host. Alert (alarm/log) is also a common response action: the firewall generates an event, log, or alarm so administrators can investigate the source, destination, file type, signature name, and policy that triggered the detection.
Some firewall antivirus engines also support content-handling actions such as deleting an attachment (or stripping the infected file/attachment) while allowing the rest of the session to proceed, depending on the protocol and security profile. This is typically used in scenarios like email or file-based protocols where removing the infected payload is feasible.
Declare is not a normal antivirus response action on firewalls; it does not describe a meaningful enforcement or notification behavior. Therefore, the valid antivirus response actions here are Block, Alert, and Delete attachment.
