Remote command using Sophos Management


in a recent analysis of a ransomware attack, where BitLocker was used to encrypt the disk, I found that the company was using Sophos.

In the folder C:577-Sophos\AutoUpdate\data\warehouse I found some files that contain executable code and activate BitLocker, using command like the following from disk F: to Z:

manage-bde -on F: -rp 599368-358941-467368-368093-397672-261921-132506-522577 -sk C:\ -s

I’m not really into Sophos management and administration, but I read that the folder warehous can be use as cache for the update installations.

Are these files false positive? Or the malicious actors could use Sophos to spread malicious commands?