https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-pop-ups-triggered-for-storedesktopextension-exe-despite/m-p/1246406#M310 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1235306403">@J.Fernando795842</a>&nbsp;,</P> <P>&nbsp;</P> <P>this was a known issue where the wildfire detection engine has got updates from threat intel about specific Hash related to this application and was flagged malicious. However, this was immediately reverted and the effects on the tenant may last a few hours. Inorder to prevent business impact, you can consider adding the SHA256 to allow list for the time being and remove it later.&nbsp;</P> <P>&nbsp;</P> <P>Hope this helps. Please mark the response as "Accepted as Solution" if helps</P> Fri, 23 Jan 2026 10:10:14 GMT neelrohit 2026-01-23T10:10:14Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-pop-ups-triggered-for-storedesktopextension-exe-despite/m-p/1246143#M308 <P data-start="464" data-end="612">Users are continuing to receive Cortex alert pop-ups for <STRONG data-start="521" data-end="550">StoreDesktopExtension.exe</STRONG> even after the executable was added to the Cortex block list.</P> <P data-start="614" data-end="631"><STRONG data-start="614" data-end="631">Observations:</STRONG></P> <UL data-start="632" data-end="805"> <LI data-start="632" data-end="687"> <P data-start="634" data-end="687">The file is already present in the Cortex block list.</P> </LI> <LI data-start="688" data-end="749"> <P data-start="690" data-end="749">Alerts/pop-ups are still being triggered on user endpoints</P> </LI> <LI data-start="688" data-end="749">Is it related to Windows Security Update?</LI> <LI data-start="688" data-end="749">Restarting the machine is resolving the issue. However, post that the "Windows Store App" cannot be accessed</LI> </UL> Wed, 21 Jan 2026 17:59:38 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-pop-ups-triggered-for-storedesktopextension-exe-despite/m-p/1246143#M308 J.Fernando795842 2026-01-21T17:59:38Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-pop-ups-triggered-for-storedesktopextension-exe-despite/m-p/1246406#M310 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1235306403">@J.Fernando795842</a>&nbsp;,</P> <P>&nbsp;</P> <P>this was a known issue where the wildfire detection engine has got updates from threat intel about specific Hash related to this application and was flagged malicious. However, this was immediately reverted and the effects on the tenant may last a few hours. Inorder to prevent business impact, you can consider adding the SHA256 to allow list for the time being and remove it later.&nbsp;</P> <P>&nbsp;</P> <P>Hope this helps. Please mark the response as "Accepted as Solution" if helps</P> Fri, 23 Jan 2026 10:10:14 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-pop-ups-triggered-for-storedesktopextension-exe-despite/m-p/1246406#M310 neelrohit 2026-01-23T10:10:14Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-pop-ups-triggered-for-storedesktopextension-exe-despite/m-p/1246506#M311 <P>Hi,<BR />Known false positive: StoreDesktopExtension.exe is legit MS Store component, flagged by Cortex behavioral rules during updates/servicing.<BR /><BR /></P> <P>Block list stops execution but not BIOC alerts/pop-ups. Restart clears cache temporarily, but can break Store if quarantined earlier.<BR /><BR /></P> <P>Fix:</P> <P>Exceptions &gt; Add File exception:<BR />Allow<BR /><BR /><STRONG>Path</STRONG>: *StoreDesktopExtension.exe<BR />Or full: C:\Program Files\WindowsApps\Microsoft.WindowsStore_**\StoreDesktopExtension.exe<BR />Add SHA256 from alert</P> <P>In alerts/incidents: close as FP &gt; suppress rule for this hash/behavior<BR />Force sync: host &gt; Response &gt; Refresh Policy<BR />(or endpoint: cytool checkin)</P> <P>If Store broken: run wsreset.exe or reset via PowerShell:</P> <P>Get-AppXPackage WindowsStore -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}</P> <P>Alerts stop after sync. If not, send BIOC ID / SHA256 / agent version, I'll script the exact suppression.<BR /><BR /></P> <P><EM>Guilherme Lucas</EM><BR /><EM>Senior Security Researcher | Red Team / Exploit Dev</EM></P> Sun, 25 Jan 2026 05:15:45 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-pop-ups-triggered-for-storedesktopextension-exe-despite/m-p/1246506#M311 tonacoecarvalho.adv 2026-01-25T05:15:45Z