You have configured the AV scanning behavior in Content Analysis to block files based using the AV Scanning Behavior configuration in the Content Analysis Management Console, but when a scan matches a file to be blocked, (e.g. password protected archive, decode error, etc) the file is served to the client.

On the ProxySG appliance, you are using Malware Scanning (Configuration > Threat Protection > Malware Scanning) to send traffic to Content Analysis for scanning. 

The setting, Action on Unsuccessful Scan will determine how the ProxySG appliance behaves in the event that an AV Scanning behavior policy exception is triggered.

If this is set to Continue Without Malware Scanning, the ProxySG appliance will ignore the Content Analysis result and serve the file to the client.

 

Set Action on unsuccessful Scan to Deny the client request (recommended) to ensure that users are not served files that cannot be scanned.