Earlier today, Comodo gave me an interesting false positive. I don't remember exactly what the file was called, but I think it was something along the lines of "gnu-GPLv2.txt". I don't see how an ASCII text file with no executable code could be malware. It's just a software license that protects your freedom!
Anyway, I'm going to side with Xercus here: accidents happen. If Sophos does this frequently, then I guess they suck. But, seeing as how this has only happened this once, it can be forgiven.