topic Re: Cortex false positives for OneDriveLauncher.exe? in Cortex XDR Discussions

Cortex false positives for OneDriveLauncher.exe?

JGrover1 — Tue, 03 Jun 2025 12:35:49 GMT

For the last few days I've had random machines (some with fresh Windows installs) triggering Cortex alerts when logging into OneDrive.

The alert is Behavioral threat detected (rule: parent_process_spoofing) and the path is the legitimate OneDrive executable at C:\Program Files\Microsoft OneDrive\25.085.0504.0002\OneDriveLauncher.exe.

Has anyone else been seeing this?

Re: Cortex false positives for OneDriveLauncher.exe?

austin.griffin — Tue, 03 Jun 2025 14:54:59 GMT

I have also been seeing this, exact same path and version of OneDrive.

Re: Cortex false positives for OneDriveLauncher.exe?

mavega — Tue, 03 Jun 2025 17:11:51 GMT

Hi,

Thanks for reaching out LC.

This false positive has already been noticed and is planned to be fixed on next content releases.

Please test out after next release and if issue still persists open a support ticket to get further analysis on your issue.

If you feel this answered your question please mark as solution.

Regards,

Re: Cortex false positives for OneDriveLauncher.exe?

D.Moore415468 — Tue, 03 Jun 2025 19:38:59 GMT

I've seen process spoofing incidents on FileCoAuth.exe, OneDriveLauncher.exe, and OneDrive.exe.

Re: Cortex false positives for OneDriveLauncher.exe?

Vijisaga — Tue, 03 Jun 2025 19:39:41 GMT

Hello,

We are also receiving the same alert, but it's from a different file path. Can you please confirm that this is a false positive? I would like to know why Cortex XDR is blocking it, as it is a legitimate file:

C:\Users\xxx\AppData\Local\Microsoft\OneDrive\25.085.0504.0002\OneDriveLauncher.exe

C:\Users\xxx\AppData\Local\Microsoft\OneDrive\25.085.0504.0002\FileCoAuth.exe

Re: Cortex false positives for OneDriveLauncher.exe?

Karl-Foley — Wed, 04 Jun 2025 08:41:52 GMT

We've been seeing the same for the last couple of weeks. Either associated directly with OneDrive or occasionally with Word and an ai.exe process (assuming co-pilot here). Good to know we're not alone and that it will be fixed in the next content pack. Any ideas on dates for that please?

Re: Cortex false positives for OneDriveLauncher.exe?

Arman_Zaheri — Tue, 10 Jun 2025 08:04:34 GMT

Hello,

Thanks for the clarification. Just to confirm, after which content release should we expect this problem is fixed? We're still receiving this alert, and I need to compare the client content version with the fixed one.

Br,

Re: Cortex false positives for OneDriveLauncher.exe?

Karl-Foley — Fri, 13 Jun 2025 08:14:03 GMT

We haven't seen this issue after the content update released on 10th June:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-and-Traps-Content-Update-Release-Notes-Version-1820/Version-Information

Although I have noticed the release notes have changed as it originally showed this:

This was in the original 10th June content release notes