There needs to be a way to deal with old Alerts and Warnings which have gone past the displayable events logs. If any event is causing an endpoint to stay consistently in Red Alert or Yellow Warning state, then the event should stay persistent and never go away until addressed. There's no way to deal with these issues currently other than to uninstall/reinstall Sophos completely or follow the below instructions from Sophos. This will only clear the events log to stop the alerts from showing, but doesn't actually address the original alerts.

1. Disable tamper Protection


2. Stop Sophos Health service


3. Navigate to folder C:\ProgramData\Sophos\Health\Event Store\Database


4. Rename events.db to eventsold.db


5. Restart Sophos Health service


6. Kill the Sophos UI from Task Manager


7. Re-launch Sophos UI.exe from C:\Program Files\Sophos\Sophos UI

Whenever I'm forced to do a manual cleanup, I invariably use the same tools, which are effective but scattered and sometimes difficult to use. It would be great if some of these items were packaged together and could be run from a "cleanup dashboard". A Swiss Army knife for repairing infected endpoints. Often, I'm responding to a new customer that doesn't have Sophos yet and this is my time to shine and SELL.
-Sysinternals Autoruns
-Refined SOI tool (archaic and easy to accidentally shut down) that can pinpoint the faulty node without me poring over 25MB of text
-Sophos batch scripts for uninstalls, registry key hijacks, etc.
-Something like RKill to stop malware running in memory

If something like this could be developed for partners it would save me a ton of time and give me a vector to sell more product.

Sophos has been aware of a simple False Positive since 18th January, 2017 where a simple Word Doc in a ZIP File (Created by a Medical Program) is flagged as Mal-DrodZp-A. It was logged as #6892784. I kept going back and forth with Sophos for 8 Months until Sophos demanded a Password for the ZIP File, which we could not comply with since it contained private Customer Data. Despite the many, many workarounds Sophos had me do, Sophos Endpoint STILL grabs the file every time a VSS copy is made, despite VSS being turned OFF. This produces thousands of errors in the Backup Logs and still kills our Client's Backups regularly. Sophos has repeatedly refused to refer the issue to their Developers to fix. This is absolutely no good enough! Sophos, please fix this!