When traffic going through the EdgeSWG is sent to the CAS for virus scanning, and on the CAS the policy configured for password protected archive is configured to be blocked, any password protected archives are downloaded successfully.

EdgeSWG sending traffic over ICAP to CAS.

This will happen if you configure your action on the Web Content Layer to scan the traffic, while having "Continue without further request/response processing" under "If the request analysis service service is not available:". In this case when CAS engine detects password protected archive it will respond with an ICAP error back to EdgeSWG. Since EdgeSWG is configured in the error handling to allow the connection, the file will be served.