https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/microsoft-photos-exe/m-p/1247534#M9101 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/286656921">@J.Indoc</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>Yes, this is a known behavior where the legitimate <STRONG>Microsoft Photos.exe</STRONG> process triggers <STRONG>“Suspicious File Modification”</STRONG> alerts within the <STRONG>Anti-Ransomware Protection</STRONG> module. These alerts are typically false positives caused by the application interacting with <STRONG>decoy files</STRONG> created by the Cortex XDR agent.</P> <HR /> <H4>Root Cause Analysis</H4> <H5>Decoy (Honeypot) Files</H5> <P>The Anti-Ransomware module places hidden decoy files (often starting with <CODE>ZZZZZ</CODE> or <CODE>!!!!!</CODE>) in various directories to detect encryption attempts.</P> <H5>Application Behavior</H5> <P>Applications like the Windows Photos app often scan, index, or perform cleanup operations on directories where these decoys reside. When <STRONG>Photos.exe</STRONG> modifies or even enumerates these protected files, the agent may interpret this behavior as potential ransomware activity and generate an alert.</P> <H5>Aggressive Mode</H5> <P>These alerts are most frequent when the Ransomware Protection module is set to <STRONG>Aggressive</STRONG> mode. In this mode, the agent places more decoy files in user-accessible locations, increasing the likelihood that benign applications will interact with them.</P> <HR /> <H4>Recommended Resolutions</H4> <H5>1. Revert to Normal Protection Mode (Standard Fix)</H5> <P>The most common way to resolve these false positives is to change the protection mode from <STRONG>Aggressive</STRONG> to <STRONG>Normal</STRONG> in the Malware Security Profile. Normal mode maintains strong protection while reducing exposure of decoy files to benign processes.</P> <P><STRONG>Steps:</STRONG></P> <UL> <LI> <P>Navigate to <STRONG>Endpoints → Policy Management → Prevention → Profiles</STRONG></P> </LI> <LI> <P>Edit the <STRONG>Malware Security Profile</STRONG> assigned to the affected endpoints</P> </LI> <LI> <P>Locate the <STRONG>Anti-Ransomware Protection</STRONG> section</P> </LI> <LI> <P>Change <STRONG>Protection Mode</STRONG> from <EM>Aggressive</EM> to <EM>Normal</EM></P> </LI> <LI> <P>Save the profile and ensure it is applied to the relevant policy rules</P> </LI> </UL> <H5>2. Create a Process Exception</H5> <P>If <STRONG>Aggressive</STRONG> mode must remain enabled, you can create a targeted exception for <STRONG>Photos.exe</STRONG> to prevent it from being monitored by the Anti-Ransomware module.</P> <P><STRONG>Steps:</STRONG></P> <UL> <LI> <P>Go to <STRONG>Settings → Exception Configurations → Legacy Agent Exceptions</STRONG></P> </LI> <LI> <P>Click <STRONG>+ Add Rule</STRONG> and select the appropriate platform (Windows)</P> </LI> <LI> <P>Select <STRONG>Process Exceptions</STRONG> as the module type</P> </LI> <LI> <P>In <STRONG>Target Properties</STRONG>, enter the process name: <CODE>photos.exe</CODE></P> </LI> <LI> <P>In <STRONG>Module Name</STRONG>, select <STRONG>Anti-Ransomware Protection</STRONG> and add it</P> </LI> <LI> <P>Define the scope (Global or specific Profiles) and click <STRONG>Create</STRONG></P> </LI> </UL> <HR /> <H5>3. Hash Exception</H5> <P>Alternatively, you can add the specific file hash of the legitimate <STRONG>Photos.exe</STRONG> binary to the <STRONG>Allow List (Hash Exceptions)</STRONG>. This approach is useful if the behavior is isolated to a specific version of the executable.</P> <HR /> <H4>Verification</H4> <P>You can confirm that the alert was triggered by decoy file interaction by reviewing the alert data dump. Indicators typically include file paths similar to:</P> <UL> <LI> <P><CODE>C:\ProgramData\Cyvera\Ransomware\...\ZZZZZ.doc</CODE></P> </LI> <LI> <P><CODE>C:\Users\&lt;user&gt;\Pictures\!!!!!.jpg</CODE><CODE></CODE></P> <P><CODE><BR /></CODE>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P><CODE></CODE></P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P><CODE>&nbsp;</CODE></P> </LI> </UL> Thu, 05 Feb 2026 16:19:00 GMT susekar 2026-02-05T16:19:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/microsoft-photos-exe/m-p/1247459#M9097 <P>Hi,</P> <P>Does anyone experience receiving alerts from photos.exe due to "Suspicious File Modification" and the Module is "Anti-Ransomware Protection" even the program is legitimate?<BR />Other factors I'm seeing is due to possibly outdated version of the said program. *See attached reference photo*<BR /><BR />I'm hoping from anyone's advice from other members with the same experience on how you handle this issue and some pointers on how to resolve it.</P> <P><BR />Cheers!&nbsp;</P> Thu, 05 Feb 2026 15:55:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/microsoft-photos-exe/m-p/1247459#M9097 J.Indoc 2026-02-05T15:55:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/microsoft-photos-exe/m-p/1247534#M9101 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/286656921">@J.Indoc</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>Yes, this is a known behavior where the legitimate <STRONG>Microsoft Photos.exe</STRONG> process triggers <STRONG>“Suspicious File Modification”</STRONG> alerts within the <STRONG>Anti-Ransomware Protection</STRONG> module. These alerts are typically false positives caused by the application interacting with <STRONG>decoy files</STRONG> created by the Cortex XDR agent.</P> <HR /> <H4>Root Cause Analysis</H4> <H5>Decoy (Honeypot) Files</H5> <P>The Anti-Ransomware module places hidden decoy files (often starting with <CODE>ZZZZZ</CODE> or <CODE>!!!!!</CODE>) in various directories to detect encryption attempts.</P> <H5>Application Behavior</H5> <P>Applications like the Windows Photos app often scan, index, or perform cleanup operations on directories where these decoys reside. When <STRONG>Photos.exe</STRONG> modifies or even enumerates these protected files, the agent may interpret this behavior as potential ransomware activity and generate an alert.</P> <H5>Aggressive Mode</H5> <P>These alerts are most frequent when the Ransomware Protection module is set to <STRONG>Aggressive</STRONG> mode. In this mode, the agent places more decoy files in user-accessible locations, increasing the likelihood that benign applications will interact with them.</P> <HR /> <H4>Recommended Resolutions</H4> <H5>1. Revert to Normal Protection Mode (Standard Fix)</H5> <P>The most common way to resolve these false positives is to change the protection mode from <STRONG>Aggressive</STRONG> to <STRONG>Normal</STRONG> in the Malware Security Profile. Normal mode maintains strong protection while reducing exposure of decoy files to benign processes.</P> <P><STRONG>Steps:</STRONG></P> <UL> <LI> <P>Navigate to <STRONG>Endpoints → Policy Management → Prevention → Profiles</STRONG></P> </LI> <LI> <P>Edit the <STRONG>Malware Security Profile</STRONG> assigned to the affected endpoints</P> </LI> <LI> <P>Locate the <STRONG>Anti-Ransomware Protection</STRONG> section</P> </LI> <LI> <P>Change <STRONG>Protection Mode</STRONG> from <EM>Aggressive</EM> to <EM>Normal</EM></P> </LI> <LI> <P>Save the profile and ensure it is applied to the relevant policy rules</P> </LI> </UL> <H5>2. Create a Process Exception</H5> <P>If <STRONG>Aggressive</STRONG> mode must remain enabled, you can create a targeted exception for <STRONG>Photos.exe</STRONG> to prevent it from being monitored by the Anti-Ransomware module.</P> <P><STRONG>Steps:</STRONG></P> <UL> <LI> <P>Go to <STRONG>Settings → Exception Configurations → Legacy Agent Exceptions</STRONG></P> </LI> <LI> <P>Click <STRONG>+ Add Rule</STRONG> and select the appropriate platform (Windows)</P> </LI> <LI> <P>Select <STRONG>Process Exceptions</STRONG> as the module type</P> </LI> <LI> <P>In <STRONG>Target Properties</STRONG>, enter the process name: <CODE>photos.exe</CODE></P> </LI> <LI> <P>In <STRONG>Module Name</STRONG>, select <STRONG>Anti-Ransomware Protection</STRONG> and add it</P> </LI> <LI> <P>Define the scope (Global or specific Profiles) and click <STRONG>Create</STRONG></P> </LI> </UL> <HR /> <H5>3. Hash Exception</H5> <P>Alternatively, you can add the specific file hash of the legitimate <STRONG>Photos.exe</STRONG> binary to the <STRONG>Allow List (Hash Exceptions)</STRONG>. This approach is useful if the behavior is isolated to a specific version of the executable.</P> <HR /> <H4>Verification</H4> <P>You can confirm that the alert was triggered by decoy file interaction by reviewing the alert data dump. Indicators typically include file paths similar to:</P> <UL> <LI> <P><CODE>C:\ProgramData\Cyvera\Ransomware\...\ZZZZZ.doc</CODE></P> </LI> <LI> <P><CODE>C:\Users\&lt;user&gt;\Pictures\!!!!!.jpg</CODE><CODE></CODE></P> <P><CODE><BR /></CODE>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P><CODE></CODE></P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P><CODE>&nbsp;</CODE></P> </LI> </UL> Thu, 05 Feb 2026 16:19:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/microsoft-photos-exe/m-p/1247534#M9101 susekar 2026-02-05T16:19:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/microsoft-photos-exe/m-p/1247744#M9105 <P>Hi,&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/241098">@susekar</a>,<BR />Thank you for your insights in my concern. All recommended methods are all working.</P> Mon, 09 Feb 2026 16:59:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/microsoft-photos-exe/m-p/1247744#M9105 J.Indoc 2026-02-09T16:59:06Z