During reference checking the firewall calculates a checksum based on the file size and other criteria for applications for which it has already enabled network access. If the checksum for this program suddenly changes, it may be because the program has been modified by a malware program. In such cases, the firewall generates an alarm.
Perform reference checking for loaded modules: Here not just applications but also modules used by applications (e.g. DLLs) are monitored. Since these frequently change or new modules are downloaded, consistent checking for modified and unknown references for modules may result in a considerable administration effort. Every modified module would cause a security request to be sent in its trail to the firewall. Therefore module checking should only be used in this way for very high security requirements.