Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive?

L1 Bithead

Hi community,

Wondering if anyone else is seeing BT alerts for sdiagnhost.exe appearing over the last 24 hours? We have had similar things occur in the past due to over excited signature updates cause false positives.


This process is one that MSDT Follina uses but the servers it popping up on do not run any Office products running so confident it's not that, and mitigated MSDT issues back when they first hit the news.




Hi, we are observing the same behaviour on different customers, some of them are behind the patch level but others are not.. We are concerned over Follina too, because for some of the alerts we had confirmation of unsolicited mail with attachments but, for other systems, there were no reason for an alert...

We opened a ticket with the support, just in case.

L4 Transporter

Hi @adminBandE and @RobertoPastorino 

as Roberto has done, I would recommend to open a TAC support ticket under if you suspect that there is a weird behavior of BT protection. On top of that observe and investigate the incidents related to these alerts and do not discard them as a false positive until you are sure that it really is a false positive. 


L0 Member

Yes, we are seeing them as well. Microsoft released a patch for Follina about 2.5 weeks ago. I can only assume something they patched is triggering this event.

Support replied confirming the issue as a false positive that will be addressed in a minor CU release due this week.

In the meantime they suggested the creation of an alert exclusion for the CGO path and process for the affected agents only, to be removed after the CU is released.


Given the elusivity of the exploit, the fact that some bu are deaf on the necessity of quick patching and that for at least two endpoints there were a confirmed case of downloaded unsolicited email with office attachments, I will treat this case as a true positive, waiting for the CU to be released.



Thank you for sharing their response! We have not implemented a "bypass" we are seeing no negative effects of the blocking besides the alert messages. We will wait for them to patch it. Have a good monday!

We are also ignoring due to the risk of missing a legitimate alert. Not seeing this occur much in the environment and only on servers, thankfully.

  • 7 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!