Instead of a block action in the Antimalware rule set, use a continue and enable the ICAP client in the event section.
MWG will then not block malware, but will send that to another scanner via ICAP.
As this setup sounds a bit weird I am interested in your goal - what do you want to acchive?
Thanks for your response Michael!
The question is a bit theoretical. We received it in an RFI.
I mean the customer does not like to bypass the embedded AV engines but they would like to use 3rd party engines beside them (i.e. Kaspersky, Trendmicro) on an AV external server.
Is it possible through ICAP? I think the answer is yes but I'm not sure.
This is possible.
one of our customers would like to use an external 3-rd party content scanner as a second engine, too.
But we get an internal icap error, when the external scanner blocked the content.
Do you have a working policy example (or best practice ;-)) for this purpose?
the best practises policy is the ICAP Client Policy in MWG's rule set library. What error do you get?