We were able to get around this issue by creating a custom URL Category for decryption exceptions. Populate the category with domain names that you want to exclude (you can also wildcard for subdomains), then assign that category to your exception rule. The destination address should be set to any so that the exception rule is triggered only upon category match. So far this seems to work.
... View more