Selecting traffic for anti-malware scanning
You can activate anti-malware scanning in the File Filtering Policy that is referenced in a policy.
Activating the scanning always also activates deep packet inspection for the same traffic (the traffic is also checked against the Inspection rules). You can deactivate the anti-malware scanning if the download source is trusted and the download process takes too long. You must define the services individually in the Service cell to enable deep inspection and anti-malware scanning for them.
To not scan for certain destinations, create a more specific IPv4 Access rule before a more general one that does not have the file filtering option defined.
For some content delivered through HTTP or HTTPS, anti-malware scanning might not be feasible. For example, you might want to prevent videoconferencing sessions from being scanned for malware, to avoid any increase in latency.