I have encountered a situation where I have implemented basic AV protection to a server. Tests with EICAR file work fine from internal and external networks (should not really matter).
The thing is that on some occasions I noticed that the file upload had been blocked but the Virus violation states: "Virus detection was not performed due to communication problem. See details here: /ts/log/bd.log"
There is no relevant info in that log file.
Guaranteed enforcement was turned on, so I guess that's why the block took place. But the real question is - why is it complaining about not being able to communicate with the ICAP server? When I run a test from any network, it blocks it just right and the violation is described accurately.
Whenever this has happened there have been multiple generic violations detected with the traffic as well, but ONLY AV protection is in Blocking mode - generic signatures are just alerting for analysis.
Does anyone have more experience with such cases? Any ideas why this is happening?
I think you need to raise a support case. They will check your config, also ICAP is known to have some issues on some versions of BIG-IP and some AV Vendors
