Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Behavioral Threat alerts for sdiagnhost.exe spawning cronhost.exe - false positive?

L1 Bithead

Hi community,

Wondering if anyone else is seeing BT alerts for sdiagnhost.exe appearing over the last 24 hours? We have had similar things occur in the past due to over excited signature updates cause false positives.


This process is one that MSDT Follina uses but the servers it popping up on do not run any Office products running so confident it's not that, and mitigated MSDT issues back when they first hit the news.




Hi, we are observing the same behaviour on different customers, some of them are behind the patch level but others are not.. We are concerned over Follina too, because for some of the alerts we had confirmation of unsolicited mail with attachments but, for other systems, there were no reason for an alert...

We opened a ticket with the support, just in case.

L4 Transporter

Hi @adminBandE and @RobertoPastorino 

as Roberto has done, I would recommend to open a TAC support ticket under if you suspect that there is a weird behavior of BT protection. On top of that observe and investigate the incidents related to these alerts and do not discard them as a false positive until you are sure that it really is a false positive. 


L0 Member

Yes, we are seeing them as well. Microsoft released a patch for Follina about 2.5 weeks ago. I can only assume something they patched is triggering this event.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!