"Defer scanning at threshold" is the value at which the ProxySG defers (stops sending the oldest connection to the ICAP server) until the file is completely downloaded from the Origin Content Server (OCS). By default, the deferred scanning threshold is enabled and set to 80% when an ICAP service is created.
For example, assuming the following
ICAP Max connections = 100. Deferral set to 80%.
If a new connection comes in and there are 80 ICAP connections already in use then the oldest ICAP connection will be deferred. This means it will be closed on the ICAP server (CAS/ProxyAV) but the ProxySG will continue to download the object and trickle it to the client, up to the configured Max Cache size on the ProxySG. If the ProxySG receives all of the object it will be sent back to ICAP server for ICAP scanning. This new scan will take priority, meaning it cannot be deferred. If the ProxySG receives more data than the configured Max Cache size it will not send to ICAP server and will instead terminate the client connection.
The ProxySG will continue to defer connections until it gets below the threshold. If the ProxySG has deferred all long lived connections but still has more than 80 connections it will then start to use the connections above the 80% value, in the example above this means connections 81 to 100.
Typically the ICAP connection that has been there the longest is either a large download or a stream that never ends. So, the ProxySG will free up resources to make room for others until those long living connections finish downloading.
Note if the oldest connection is a stream ie live video or audio, the ProxySG will never reconnect to the ICAP server as the download will never finish. It is best practise to not send streaming media to the ICAP server.
The idea behind deferring connections is to avoid having to queue connections which is what will happen if, in our example, we get more than 100 connections.
The following advanced URL can be used to help troubleshoot queued connections