Sophos Values \ Status - Can anyone explain what they mean \ their definition ?

Good Morning Sophos Community


Thank you for your time looking at my question, I am new to this community and relatively new to Sophos.

We as a business are currently running "Sophos Endpoint Security and Control" on about 2000 laptops \ Desktops.

I am to produce reports fro Quarterly management meetings on what has been detected by Sophos and how the software dealt with what if found.

Is there a document anywhere which can clearly explain the thinking behind the classifications ?


1- Action Taken = "Cleaned Up", "Blocked" "None" "Acknowledged" "Authorized" " Cleared from the end point QM" "No longer Present"

2- Status = "Resolved", "Cleanable", "Threat Type Not Cleanable"


If I go to this meeting then these categories will create more questions "What does "No longer Present" mean ????

As long as I can explain what each category means then that will be fine.


If anyone can help point me to a document or explain I would be very grateful.

Many Thanks







  • Hi David,

    What are you using to manage your endpoints? Is it our Sophos Central or Sophos Enterprise Console?

    If it's the latter, page 54 of the guide has explanations on the different Cleanup Statuses: Sophos Enterprise Console Help



  • In reply to Karlos:

    Many Thanks Karols,

    I eventually found this last night and will many thanks for getting back to me.




  • Hello D,

    I'm not sure whether I've moved this to the correct group as I'm using SESC but I never came across Cleared from the end point QM (but maybe you haven't quoted the exact message).

    One should be careful when interpreting the terms as the actual meaning is not always independent of the context. In addition to the doc Karlos mentioned some details:
    Cleaned Up means that the offending file has been cleaned (i.e. sanitized or deleted) and potential additional actions haven been performed (like modified registry values set to the default). Sometimes it's partially removed, e.g. when processes (might) have loaded a malicious DLL and complete cleanup requires them to be restarted.
    Blocked is the "minimum" action when a threat has been detected on a file open. Access to the file is denied. A scan might also be performed on close-write, a block is not possible in this case so the initial action is NoneNone is also seen with scheduled scans as there's nothing to block.
    No longer Present means that a threat has been detected, a subsequent cleanup (whether automatic or requested) didn't find the file though. E.g. a file might have meanwhile been deleted from a cache.
    Acknowledged means that the alert has been cleared - until recently it was just that, with CryptoGuard (ransomware protection) it also unblocks the process.
    When a user (local admin) clears an alert from QM you'll see Removed from quarantine list. Under certain circumstances the cleanup routine might do it and the user displayed is SYSTEM (as far as I could see the threat is no longer present).

    I hope this isn't confusing. I assume there are several reasons why it is not as clear as one might wish - architecture of the Sophos software (Endpoint and Management) which should give consistent results (regardless of endpoint, management, and platform versions) as far as this is possible, changes in the OS architecture that result in new engine strategies that can't completely and unambiguously be represented in the existing architecture, last but not least that complex results would rather obscure the big picture than give more insight.


  • In reply to QC:

    Thanks v much Christian

    I need to have the meanings for a non tech audience who are going to ask me what "Acknowledged" actually means etc.

    Thanks for taking the time to answer my question so clearly.

    I really appreciate your time with this.

    Thanks again