It could be connected with SSL Scanner - do you scan SSL traffic?
How executable files are blocked and please give examples of blocked and not blocked URLs.
Please use the Rule Engine tracing for troubleshooting if the block rule got also executed and is not bypassed due to any other rule:
Verify that the SSL Scanner is executed for HTTPS connections (Web Gateway: Understanding "Client Context" )
If you need help analyzing this behaviour file a support request and upload the data into this Service Request. Please do NOT post this confidential data here.
I tested both links in my lab but was unable to reproduce a block, doesn't matter whether GTI lookups are enabled or not.
As Stefan has written, open a SR that Support can look at this.
Therefore, please open a normal SR and follow this KB:
Important information would be a feedback file (there we have the MWG, engine and DAT version and can test your configuration), screenshot of block message, error message from foundvirus log, rule trace (that we can see where the request is running through) and the password protected sample.