I think that it would be beneficial to understand how Zimbra is made up. What components are put together to produce the overall platform. The anti virus component is Clam antivirus. Clam antivirus is a signature based virus definition application. This means that when a virus is identified it is given a unique signature and added to the definition database. Every mail that comes in has it's attachments signature checked against the definition database. If there is a match then clamav thinks that it is a virus. This in turn tells postfix (via amavis) to reject the incoming message. Clamav comes with a series of tools and libraries to allow you to interrogate the definition database as well as a signature tool and if I am not mistaken you can identify the signature of your mail and remove it from the database. Or you can use clamav's web based tools to uploaded the mail and let it report why it is being trapped. It could also have something to do with max compression ratios or recursive archiving because it is a zip file, but unless you look at the logs you will not know.
edit the file /opt/zimbra/clamav/etc/clamd.conf
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
#LogFile /tmp/clamd.log
uncomment LogFile and restart the MTA.  |