I know CX module will be EOL by the end of 2017, but still you never know ;].
The build in device malware protection is a bit annoying as there is no easy way to make an exception.
I had recently and interesting issue when one of the governmental sites was blocks by malware protection. How surprised i was to see that there is now way to make an exception, the setting was global for all out coming traffic. So to allow a single site with rep of -7 (in my case that was the government site, from -6 to -10 site is considered insecure) i would be forced to lover the security of the whole company what was of course unacceptable.
So after a bit of googling i have found this.
Basically i had to create malware policy that allows site of rep -7 an then make it default device policy. After that you have to set the default policy of -6 to every access policy (overriding the device setting) you have except the one with your exception (where you put before the url of the problematic site). Setting no policy for malware protection, as it was suggested in the link above, did not work for me, that’s why i have made device policy less restrictive then the local access policies malware protection setting. Now the traffic goes thru the white list policy without malware protection. And because the policy allows only specific URL address’es it want pass any other site with rep -7 then the one i have put there.