AV scanning not blocking zipped malware when downloaded from cloud drives like Google Drive

Question

Hello! 
 
 I just installed Sophos UTM for testing purposes, I enabled SSL Inspection and set dual av engine in the web filtering, when I test download a test eicar file "eicarcom2.zip" it blocks the request perfectly. But, when I uploaded eicarcom2.zip to google drive and also my owncloud drive, tried downloading from both but it didn't block the request, below is the log: 
 
 Successfully blocked request: 
 2018:12:26-04:25:00 local httpproxy[14612]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="10.0.0.2" dstip="91.212.136.200" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2705" request="0xdcea1100" url=" www.ikarussecurity.com/.../eicar_com.zip" referer=" www.ikarussecurity.com/.../" error="" authtime="0" dnstime="0" aptptime="153" cattime="86" avscantime="1580107" fullreqtime="3103347" device="0" auth="0" ua="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36" exceptions="" category="105" reputation="neutral" categoryname="Business" sandbox="-" content-type="application/zip" virus="EICAR-AV-Test" engine="SAVI"

Not blocked: 
 2018:12:26-04:26:14 local httpproxy[14612]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.0.0.2" dstip="35.XXX.XXX.237" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7268" request="0xe915100" url=" oc.XXXXX.com/.../eicarcom2.zip" referer="" error="" authtime="0" dnstime="0" aptptime="103" cattime="155" avscantime="10623" fullreqtime="1527438" device="0" auth="0" ua="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" sandbox="-" content-type="text/html" 
 
 I've no idea what's going on, it should have been blocked as it is the same file downloaded from the original source. 
 
 Regards,

Argo · Answer

Hi aaa kkk, 
 Welcome to the community. 
 that really is a bad heading! 
 You need to first consider what you are trying to protect? 
 the UTM works in conjunction with the endpoint security you have installed. 
 the UTM will protect from most of the malware out there in the wild, but there are 2 or 3 modules that need to be enabled for maximum protection (from the web). 
 Simply put ... 
 1. IPS - this is inbound 
 2. Web Protection (best to have HTTPS decrypt and scan) - this is also inbound 
 3. ATP - this is outbound. 
 
 but please note if you download an unrecognised malware, your endpoint security suite will spot it (later) and quarantine it when it is recognised as malware. 
 I had this the other day (for a variant of the w97 macro virus) initially let through by the scanning, then spotted later when accessed again, but this was by the endpoint security suite. 
 Really this test is not a valid, as you do not seem to have an endpoint security suite installed on your test system.