Article 000012601 describes why the file is being served.
The Content Analysis appliance / ProxyAV returned a 500 ICAP server error to the ProxySG appliance if it was a password protected file:
ICAP/1.0 500 Server error X-Error-Details: File is password protected; File: test.zip; Sub File: ; Vendor: Sophos, Plc.; Engine version: 3.61.0; Pattern version: 5.20.10071973.0; Pattern date: 2015/10/21 05:04:09 X-Error-Code: password_protected X-Apparent-Data-Types: TXT, ZIP Service: CAS 18.104.22.168(170722) Service-ID: avscanner ISTag: "561E3583" X-Scan-Progress: complete Encapsulated: null-body=0 Date: Wed, 21 Oct 2015 06:01:05 GMT
If there is a need for fail_open, but a requirement to block a password protected archive, create a rule in the Web Access Layer based on the ICAP error code.