The Threat Prevention Engine behaves as per Configuration when we enable all the blades, or a limited number of them.
We will rely on the configuration from your Threat Prevention Profile for Inspection Settings for AV, and TE.
When TE (Threat Emulation) is enabled, and configured for specific filetypes, it will incorporate AntiVirus into it's inspection, and if configured to By-Pass based on specific criteria, we will see a Bypass, or Benign result based on bypass.
When TE is Disabled, Anti-Virus will be operating on it's own.
- In my experience, I have not seen AV Blade having the ability to deal with Password-Protected files.
- If you can post a Log of the AV Drop, we may be able to see that it relied on Fail-Mode for the Block/Drop Action.
- If you aren't comfortable posting your Network Logs in the community forum, I recommend a TAC Ticket.