When WSS policy is managed from the portal, there is an option to exempt Password-Protected Archives from the malware scanning policy.
When the policy source is changed such that the policies are managed from the Management Center this option is removed from the WSS portal. This policy has to be manually configured from the MC.
Management Center used to manage WSS
In order to deploy the same policy from MC, the following config change and policy has to be deployed from the MC.
This CPL layer will allow only the password_protected ICAP error code and block all other ICAP error codes.