The Content Analysis System alerts that certain files are "Suspicious." However the same file is being served to clients.
When the Content Analysis System detects a suspicious file (executable or a common malware attack vector) that is not on the whitelist and doesn't match any known malware signatures or trigger a malware score from static analysis, the appliance can forward the file to an external sandbox to analyze it. Sandbox services use different methods to identify the actions an executable file would take on a client workstation, including malicious URL web requests and changes to system files. Once analyzed, sandbox services score the file and report it either to Content Analysis — or in the case of FireEye NX-series appliances, to the sandbox administrator— to take action. When malware is reported to Content Analysis, the appliance reports the result to Blue Coat WebPulse, and updates the cache to take the appropriate action if the file is requested again
Effectively, if there is no sandbox integrated with the Content Analysis System, or if the sandbox determined the file was not malicious once it was detonated, the client will still be able to receive the file.
Ensure any sandbox available for file detonation is integrated with the Content Analysis System for complete scan results and reputation results.
Blacklist the file on the Content Analysis System, or setup a Deny from the ICAP client, presumably a ProxySG appliance.