Hello,
I got the response from the Sophos team:
SophosLabs analyzes files that are detected by Realtime Scanning - Files or Web Control and so on but when it comes to CryptoGuard detections such as this, the detections are due to the behavior of the application/file.
For more information about CryptoGuard detections, here is an article:
Sophos Central Endpoint and Server: CryptoGuard detections and their required actions
If you think it is a false positive, you can go to the Event and select Details.
Scroll down and check the box Exclude the Detection ID from checking.
This will whitelist the current Detection ID which is the most secure option.
After this, the exclusions would be applied to the entire sub-estate and the detections must stop occurring.
I'm not sure what behavior they are detecting, so it's hard to fix it on our side.