InterceptX - Unblocking ransomware



One of our hosts which is protected by Sophos Intercept X was infected with ransomware. 

I've checked Vulnerability Prevention Events in Sophos Console and i found one ransomware event (CryptoGuard) detected two weeks ago which was blocked.

Suspicious file (c:\windows\windebug.exe)

However on History Events for the affected host on Sophos Console there is an event that indicates that 13 days after this ransomware was blocked it was unblocked.

Can anyone explain why this unblocking happened?

Is it possible that some privileged user on affected host had allow execution of a file that cause ransomware infection?