This is expected behavior.
The ProxySG policy of response.icap_service(virus_scan, fail_open) is designed to fail-open to any errors whether they are health-check related or an error is returned from the ICAP service. Thus, if the ICAP policy is set to block a file extension the ICAP service will return a 500 server error code, as per RFC3705, in which case the SG receives the error and fails-open as per policy.
To implement policy for handling of particular icap error codes in fail-open environments, follow the guidance below:
These policy definitions can be found in the CPL guides for the ProxySG, heading icap_error_code.
SGOS 6.6: https://support.symantec.com/content/unifiedweb/en_US/article.DOC10350.html on page 147
SGOS 6.5: https://support.symantec.com/content/unifiedweb/en_US/article.DOC10097.html on page 145
The icap_error_code option triggers on the X-ICAP-Error header, instead of relying on the response code.