If Malware Scanning is enabled (Configuration > Threat Protection > Malware Scanning) on your ProxySG, your existing ICAP Best Practices and other policies to not Perform Response Analysis are ignored.

NOTE: As of 6.5.9.x and later, this CPL code to stop malware scanning to evaluate other policy is no longer required. Please verify on a case by case basis to make sure.

As explained in TECH241951, since SGOS 6.x introduced malware scanning, when you enable malware scanning on the ProxySG, it automatically adds policy to perform malware scanning for every response. Therefore this change will also cause Malware scanning overrides ICAP Best Practices.

By modifying Bypass_BC_Malware_scanning_solution CPL code in TECH241951, you can override Malware scanning policy rules and have the ICAP Best Practices CPL code effective.

Add the following CPL code in your local policy along with ICAP Best Practices CPL.

<Cache Bypass_BC_malware_scanning_solution> 

policy.Bypass_BC_malware_scanning_solution ; Creates a new layer after the Malware Scanning layers. 

define cache policy Bypass_BC_malware_scanning_solution 

<Cache Bypass_BC_malware_scanning_solution > 

        condition=NOICAP condition=ShouldScanHighPerformance response.icap_service(no) ; Bypasses Icap for URLs defined in NOICAP condition. NOICAP condition is part of ICAP Best Practices

end

;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Please be aware that in ICAP Best Practices CPL versions 1.4 (August 2019) and version 1.5 (October 2020) "NOICAP" condition is no more present but it has been replaced by "URL_Category_No_ICAP_Level_Basic", "File_Types_No_ICAP_Level_Basic", "Web_Apps_No_ICAP_Level_Medium", etc.