What does Sophos Intercept X Advanced do when it detects a file as infected? What is the next step?

Question

Hi All, 
 One of our potential customers asked us what does Sophos Intercept X Advamced (cloud version) do when it detects a file as infected. According to me it follows this process but I am not sure that is correct. 
 Step 1- It will block access to the file 
 Step 2- It will try to cleanup file(if automatic cleanup is enabled 
 Step 3- If cleanup fails then it will ask for manual cleanup. 
 I want to understand what does CLEANUP mean. Will it remove the infected part and restore the original file?(very improbable as the virus could have messed with the file) OR does it directly go for deletion of file? 
 If some important file is infected, will Sophos directly delete the entire file? ( I say this because i tested this on one file and Sophos just deleted it and it says threats cleaned up) Does Cleanup= Delete OR blockaccess OR disinfect. 
 Can someone please help me to understand the sequence of decisions taken by Sophos on finding infected file? 
 I saw one explaination by QC in this thread too:

Emile Belcourt · Accepted Answer

Hi Kandarp, 
 If "Automatic Cleanup" is enabled, Sophos will remove the infected file. If Automatic Cleanup is disabled or the cleanup fails then it will be put in the quarantine till manual cleanup can occur wherein it will block access. Disinfection is a very ambiguous process because in some cases you know where the legitimate file starts/ends and the malicious code starts/ends but it's never the same case to case. For instance, in an infected .docm, you can just strip macros, but what about a code caved Putty executable? I'm fairly certain there is no "disinfection" process in Sophos AV/IX, if someone can correct me if i'm wrong as I've never thought about it. 
 Emile

Emile Belcourt · Answer

Hello Kandarp, 
 Yes, that is correct, the file is locked in the location it was found in :) 
 Emile