Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can a computer virus spread behind my firewall?


My house has multiple computers (usually a few are connected to the internet
and running at a time) all connected to the internet through a Linksys ethernet
router. Hypothetically, if two computers were connected to the internet, and
one of them contracted a virus or two, would the virus be able to get to the
other computers connected to the router more easily? Meaning, would the fact
that the virus’s entered one computer also mean they had gotten into the
household network?

The short answer is “Possibly”.

Your setup sounds very much like my own. Several computers, most are always
on, and all sharing a connection to the internet.

There’s good news and bad news here, and it all depends on the virus.

Become a Patron of Ask Leo! and go ad-free!

Should a virus make it across your router or firewall to any computer on
your local network, then yes, in theory, it’s now able to propagate to the
other computers behind the router. Behind your router, all your computers were
exposed to each other without a firewall. If one is infected, there’s no
firewall to prevent it from spreading within your LAN.

The good news is that most viruses that can move easily from machine to
machine without human intervention are exactly those that routers are great at
stopping in the first place. So the risk of exposure is actually pretty low. It
has happened, and I’ve heard of corporations being brought to a stand-still
because a virus managed to get across the corporate firewall. It’s not common,
but it does happen.

The real risk is from other viruses that more typically cross the router via
other means – like email.

Obviously routers and firewalls allows email to cross. Thus if a user opens
an infected attachment, for example, *poof* you’re infected – firewall
or no. The good news here is that email borne viruses typically also use email
to propagate, so they probably won’t infect other machines on your local
network without help. By “help” I mean someone explicitly running the infected
attachment on other machines on your network. More likely is that the infected
machine will simply start to send email with infected attachments at a rapid

“A firewall is only one part of your internet
safety strategy.”

Less clear are things like malicious activex controls and other web based
virus attack vectors, instant messaging viruses and more. Depending on how they
propagate, infection of a single machine on your local network could be limited
to just that machine, or could spread to others.

And that really leads to an important point. While I’ve spoken in
generalities, there are really no rules. For example while they commonly don’t,
an email borne virus could propagate directly to other machines via
your network.

Thus, you still need take care.

A firewall is only one part of your internet
strategy. All of your machines should still be running anti-spyware
and anti-virus checks even though they’re behind a firewall, and should be
running Windows Automatic Update to make sure that the latest critical fixes
are always in place. All of your users should take care to not open unknown
attachments and only download from safe sources. This is exactly what I do.
Even though I’m behind a firewall, and even though my wife and I are very good
at not opening the wrong attachments, all of my machines run nightly virus and
anti-spyware scans, and have Windows Update enabled.

There’s a school of thought also that says software firewalls on each
machine are still a good idea, even if you’re behind a router, especially if
you can’t necessarily trust all of your computer users.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

2 comments on “Can a computer virus spread behind my firewall?”

  1. Is there a way to block a connection from a seperate PC (router connection), in case that particular PC should ever get infected by a virus, so my PC won’t ever be infected?


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.