diff --git a/avgate/avgate.py b/avgate/avgate.py
index 0e35835..4c71341 100644
--- a/avgate/avgate.py
+++ b/avgate/avgate.py
@@ -658,11 +658,6 @@ def scan_file_icap(content: bytes) -> List[str | None]:
     if first_line != b"ICAP/1.0 200 OK":
         raise EnvironmentError("ICAP not OK", first_line.decode())
 
-    if second_block.startswith(b"HTTP/1.1 403 Forbidden"):
-        return ["FORBIDDEN", second_block.decode()]
-
-    # do not expect any other HTTP status inside second_block (rfc3507)
-
     # check infection
     found = re.search(b"X-Infection-Found: .*Threat=(.*);", first_block)
 
@@ -670,6 +665,11 @@ def scan_file_icap(content: bytes) -> List[str | None]:
     if found:
         return ["FOUND", found[1].decode()]
 
+    if second_block.startswith(b"HTTP/1.1 403 Forbidden"):
+        return ["FORBIDDEN", second_block.decode()]
+
+    # do not expect any other HTTP status inside second_block (rfc3507)
+
     # in case of 200 the content should be unchanged
     if content == content_back:
         logger.warning("ICAP returns 200 instead of 204 on unchanged content")