• Version tested: FortiProxy VM v7.6.3

• ICAP role: FortiProxy acting as ICAP server

• ICAP clients:

  • c-icap (used for validation and reproduction)

  • Third-party ICAP clients (for example, BeyondTrust PRA/SRA)

In affected scenarios, malicious test files (for example, EICAR) are detected successfully, while clean files such as CSV, PDF, or XLS do not return a response and appear to hang on the ICAP client.

Important note:

If FortiProxy correctly detects and blocks EICAR files, this confirms that:

• FortiProxy is correctly configured as an ICAP server

• Network connectivity and firewall policies are correct

This behavior indicates an ICAP client interoperability issue, not a FortiProxy antivirus or ICAP configuration issue.

ICAP transaction flow with preview mode enabled:

1. The ICAP client requests preview mode and advertises that it will initially send 4096 bytes of the message body.
   
    
    

    

2. The client sends approximately 4109 bytes of preview data.
3. The total file size is approximately 225 KB.

4. After receiving the preview data, FortiProxy responds with ICAP/1.0 100 Continue:

5. The ICAP client acknowledges the response but does not transmit the remaining payload.
6. The ICAP session remains open until it times out.

 This indicates that the ICAP client does not properly handle the ICAP 100 Continue response.

Workaround:

Disable ICAP preview mode on the client:

If supported by the ICAP client implementation, disable preview mode so the client sends the entire file body in a single ICAP transaction.

This allows FortiProxy to complete content inspection and return a final verdict without relying on preview continuation handling.