During reference checking the firewall calculates a checksum based on the file size and other criteria for applications for which it has already enabled network access. If the checksum for this program suddenly changes, it may be because the program has been modified by a malware program. In such cases, the firewall generates an alarm.

In the same way, reference checking for loaded modules monitors modules that the applications use (e.g. DLLs). Since these frequently change or new modules are downloaded, consistent checking for modified and unknown references for modules may result in a considerable administration effort for the firewall. Every modified module would cause a security request to be sent in its trail to the firewall. Therefore module checking should only be used in this way for very high security requirements.