In the SSL scanning ruleset>handle connect call ruleset there is a rule to tunnel hosts by stopping the cycle, thus bypassing all further rules.
However under the content inspection ruleset, the bypass content inspection is only set to stoprule set therefore AV scanning etc will still be attempted.
Surely by bypassing content inspection you are still tunnelling the connection so subsequent rules can't be applied as the connect is encrypted?
Therefore would it not be more effecient to stop cycle instead or am i missing something here?
I will first preface my answer with some knowledge.
There are three main cycles that the Web Gateway deals with, Request, Responses, and Embedded.
Within the Request cycle (when using SSL scanning), there is 3 psuedo "sub" cycles, CONNECT, CERTVERIFY, and within the Tunnel.
According to the default rules SSL scanning gets applied in the sub cycles.
Now I will try to answer your scenario:
The rule "Tunnel Hosts" is set to Stop Cycle as it is intended to be a request that is allowed. Thus it bypasses all subsequent rules. For all intensive purposes you could change the action to Stop Rule Set, and this would only make it is tunneled, rather than guaranteed to be allowed. Otherwise it could be blocked by URL filtering for example.
Regarding "Bypass Content Inspection", your assumption is incorrect, AV scanning cannot be performed on an SSL connection that does not have Content Inspection applied. But in this case, URL filtering and can still be applied.
Hope this helps,