topic Re: StoreDesktopExtension.exe As greyware in Cortex XDR Discussions

StoreDesktopExtension.exe As greyware

OliverStussi — Tue, 20 Jan 2026 12:12:56 GMT

It was repported on the 13th that StoreDesktopExtension.exe was flagged as malicious by wildfire it is now being flagged as grayware and is flooding us with alerts anyone else experiencing the same?

Re: StoreDesktopExtension.exe As greyware

LeticiaGalisteo — Tue, 20 Jan 2026 12:20:31 GMT

Nos esta pasando lo mismo con StoreDesktopExtension.exe actualmente, alguna respuesta desde Palo Alto?

727d070460fa4764822b5286b1d9b8fbb5512b6e84ad645a99cb34dcede97647

Re: StoreDesktopExtension.exe As greyware

mshamamulla — Tue, 20 Jan 2026 12:23:52 GMT

Hi @OliverStussi

This file was initially flagged by the Local Analysis module or WildFire but has since been reclassified as Benign globally.

If the alerts persist despite the global verdict being Benign, the endpoint may have a stale verdict in its local cache. You can force the agent to re-fetch the correct verdict by clearing its local database.

1) Open an administrative command prompt on the affected endpoint.

2) Stop the agent services (requires the agent uninstall password):

"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect disable
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime stop

3) Navigate to C:\ProgramData\Cyvera\LocalSystem\Persistence3\ and delete the following files:

wf_verdicts.db
wf_verdicts.db.lru
wf_retransmissions.db

4) Restart the agent services:

"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime start

"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect enable

Let me know if your query is answered, Thank you!

Re: StoreDesktopExtension.exe As greyware

OliverStussi — Tue, 20 Jan 2026 12:26:53 GMT

on our end it says the verdict changed today from benign to grayware. has it been changed back to benign since this?

Re: StoreDesktopExtension.exe As greyware

OliverStussi — Tue, 20 Jan 2026 12:45:21 GMT

It is now being flagged as benign for us

Re: StoreDesktopExtension.exe As greyware

LeticiaGalisteo — Tue, 20 Jan 2026 14:12:28 GMT

Gracias por tu respuesta,

Por el momento las alertas cesaron, y en nuestra consola tambien fue marcado como Benign.

Re: StoreDesktopExtension.exe As greyware

andreal — Wed, 21 Jan 2026 08:39:20 GMT

because the windows store is installed on almost every windows device, we get many incidents as well. even after the verdict was changed back to benign, we still receive multiple alerts of machines which did not retrieve the latest verdict yet. the same thing happened last week with similar files. are there plans for a solution which prevents these windows store executables false positives from popping up in the first place?

Re: StoreDesktopExtension.exe As greyware

mshamamulla — Wed, 21 Jan 2026 10:41:37 GMT

Add the specific file hash to the Allow List in the Cortex XDR console. This will permit the file to run regardless of the WildFire verdict .
1. Navigate to Incident Response > Action Center > Allow List.
2. Click + New Action and enter the SHA256 hash for StoreDesktopExtension.exe.

Re: StoreDesktopExtension.exe As greyware

D.Moore415468 — Fri, 23 Jan 2026 15:50:41 GMT

The hash seems to change often. We need a long-term solution for this. The alerts are becoming unwelcome noise.