Sophos Values \ Status - Can anyone explain what they mean \ their definition ?

Question

Good Morning Sophos Community 
 
 Thank you for your time looking at my question, I am new to this community and relatively new to Sophos. 
 We as a business are currently running "Sophos Endpoint Security and Control" on about 2000 laptops \ Desktops. 
 I am to produce reports fro Quarterly management meetings on what has been detected by Sophos and how the software dealt with what if found. 
 Is there a document anywhere which can clearly explain the thinking behind the classifications ? 
 
 1- Action Taken = "Cleaned Up", "Blocked" "None" "Acknowledged" "Authorized" " Cleared from the end point QM" "No longer Present" 
 2- Status = "Resolved", "Cleanable", "Threat Type Not Cleanable" 
 
 If I go to this meeting then these categories will create more questions "What does "No longer Present" mean ???? 
 As long as I can explain what each category means then that will be fine. 
 
 If anyone can help point me to a document or explain I would be very grateful. 
 Many Thanks 
 D

Karlos · Accepted Answer

Hi David, 
 What are you using to manage your endpoints? Is it our Sophos Central or Sophos Enterprise Console? 
 If it's the latter, page 54 of the guide has explanations on the different Cleanup Statuses: Sophos Enterprise Console Help 
 Cheers, 
 Karlos

QC · Answer

Hello D, 
 I'm not sure whether I've moved this to the correct group as I'm using SESC but I never came across Cleared from the end point QM (but maybe you haven't quoted the exact message). 
 One should be careful when interpreting the terms as the actual meaning is not always independent of the context. In addition to the doc Karlos mentioned some details: Cleaned Up means that the offending file has been cleaned (i.e. sanitized or deleted) and potential additional actions haven been performed (like modified registry values set to the default). Sometimes it's partially removed , e.g. when processes (might) have loaded a malicious DLL and complete cleanup requires them to be restarted. Blocked is the "minimum" action when a threat has been detected on a file open. Access to the file is denied. A scan might also be performed on close-write, a block is not possible in this case so the initial action is None . None is also seen with scheduled scans as there's nothing to block. No longer Present means that a threat has been detected, a subsequent cleanup (whether automatic or requested) didn't find the file though. E.g. a file might have meanwhile been deleted from a cache. Acknowledged means that the alert has been cleared - until recently it was just that, with CryptoGuard (ransomware protection) it also unblocks the process. When a user (local admin) clears an alert from QM you'll see Removed from quarantine list . Under certain circumstances the cleanup routine might do it and the user displayed is SYSTEM (as far as I could see the threat is no longer present). 
 I hope this isn't confusing. I assume there are several reasons why it is not as clear as one might wish - architecture of the Sophos software (Endpoint and Management) which should give consistent results (regardless of endpoint, management, and platform versions) as far as this is possible, changes in the OS architecture that result in new engine strategies that can't completely and unambiguously be represented in the existing architecture, last but not least that complex results would rather obscure the big picture than give more insight. 
 Christian