We tested using a small handful of recent viruses that we found in the wild just before our testing started. Each of the products had plenty of time -- over two weeks -- to update their signatures to catch the viruses we used. FortiGate caught 100% of the viruses we threw at it. Next in line was SonicOS, which caught 100% of the viruses when we sent them over HTTP and HTTPS protocols, but slightly less when we used FTP, IMAP, and SMTP. Check Point Security Gateway and Barracuda NG Firewall caught fewer viruses in our small sample (80% and 90%, respectively).
The more important result was coverage across various protocols, and this is where SonicWall shined. Only SonicWall managed to find viruses no matter where we hid them. In configuring SonicWall to catch malware, you don't list specific ports, but applications running on top of those ports: HTTP, FTP, IMAP, SMTP, POP3, CIFS (Microsoft file sharing), and "everything else." When we sent viruses using common protocols through the firewall, the anti-malware engine inspected the traffic. It didn't catch each virus in each scenario, but there were no gaping holes where inspection didn't activate at all.
The FortiGate anti-malware engine works great, but would only inspect traffic on ports we explicitly listed. This means that a web server on a common port, say port 80 or 443, would be inspected just fine. However, if someone on the Internet had a web server with some malware on a non-standard port, such as 81, then the FortiGate wouldn't catch it. Your alternatives are to block non-standard ports — a sure recipe to unhappy users and a poor workaround — or to have a hole in your security coverage.
The Check Point Security Gateway was undergoing rapid change in the area of anti-malware when we tested it, and so our results may not be representative of the final status when version R75.40 of the software is finally released. Check Point told us that it was working with its anti-malware engine supplier to achieve higher catch rates, but that some of our test scenarios, such as IMAP and SMTP over TLS, would not be supported even in the final release.
One of the anti-malware features Check Point offered that we didn't see in the other products was anti-bot protections. If anti-malware works to prevent infections, Check Point's anti-bot protection is designed to catch post-infection behaviors such as command-and-control channels and attempts to spread the infection or send spam. We didn't test the anti-bot protections, since none of the other vendors offered this feature.