Decrypted traffic downloading from dropbox with several file types set to block, and then any set to alert. Javascript would be part of any. It seems to correctly identify javascript files when zipped, but not when it is just the javascript file. On the other hand it seems to identify php when it is not zipped, but miss it when it is zipped. Does this behavior make sense?
top of page
bottom of page
Zip files have the advantage that the firewall needs to collect all files, reassemble and unpack, so it is able to scan a full file instead of a stream/flow. That said I don't have a real explanation for this behavior You could try running a packet-diag log to see if you can pinpoint the behavior, or open a support ticket to see if it's a bug