I've started experimenting with application detection for software updates. Things like McAfee Update, Norton Update, Sophos Update, Apple Software Update and Yum Update seem to consistently be identified for HTTP connections.
I'm guessing that I cannot use application identification as a criteria for SSL bypass rules.
I have yet to find any mention of application = Microsoft Update in any of my log files. We're using version 7.2 with WCCP -- could that be part of the issue? Or might it go back to the SSL issue?