TL;DR: To determine whether a .jar file contains malicious code, the firewall actually executes some of the code contained in the JAR. What could possibly go wrong?
I will no longer be surprised if someone tell me that there exist antivirus which actually runs the virus in order to check whether it's virus.
The worst part is that the code execution happens when they've already detected that code obfuscation techniques have been used. So you already know the code is probably malicious, but you still execute it to make sure?
Well, if you can provide a properly sandboxed, monitored environment, then it's a perfect technique - instead of guessing what the code does, just run it and find out.
Of course, this one is... not the case, to put it mildly.
Well, if you can provide a properly sandboxed, monitored environment
Even then, it's dangerous, since sandboxes are potentially faulty pieces of software as well.
Well, in their defense, the accurate way to check obfuscated virus file is to use the code's built in extractor to extract it, then examine the extracted bytes.
Just that they must make sure the engine somehow be able to stop the execution if there exist a JMP class instruction that will jump into the address of payload.
That said, most antivirus and their users will be satisfied to mark them as Generic class of potentially malicious program. They have obviously overdone it, and in a bad way.
exist antivirus which actually runs the virus in order to check whether it's virus.
Doesn't Avast do this via Sandboxing?