02-04-2026 12:30 PM - edited 02-05-2026 07:55 AM
Hi,
Does anyone experience receiving alerts from photos.exe due to "Suspicious File Modification" and the Module is "Anti-Ransomware Protection" even the program is legitimate?
Other factors I'm seeing is due to possibly outdated version of the said program. *See attached reference photo*
I'm hoping from anyone's advice from other members with the same experience on how you handle this issue and some pointers on how to resolve it.
Cheers!
02-05-2026 08:19 AM
Hello @J.Indoc ,
Greetings for the day.
Yes, this is a known behavior where the legitimate Microsoft Photos.exe process triggers “Suspicious File Modification” alerts within the Anti-Ransomware Protection module. These alerts are typically false positives caused by the application interacting with decoy files created by the Cortex XDR agent.
The Anti-Ransomware module places hidden decoy files (often starting with ZZZZZ or !!!!!) in various directories to detect encryption attempts.
Applications like the Windows Photos app often scan, index, or perform cleanup operations on directories where these decoys reside. When Photos.exe modifies or even enumerates these protected files, the agent may interpret this behavior as potential ransomware activity and generate an alert.
These alerts are most frequent when the Ransomware Protection module is set to Aggressive mode. In this mode, the agent places more decoy files in user-accessible locations, increasing the likelihood that benign applications will interact with them.
The most common way to resolve these false positives is to change the protection mode from Aggressive to Normal in the Malware Security Profile. Normal mode maintains strong protection while reducing exposure of decoy files to benign processes.
Steps:
Navigate to Endpoints → Policy Management → Prevention → Profiles
Edit the Malware Security Profile assigned to the affected endpoints
Locate the Anti-Ransomware Protection section
Change Protection Mode from Aggressive to Normal
Save the profile and ensure it is applied to the relevant policy rules
If Aggressive mode must remain enabled, you can create a targeted exception for Photos.exe to prevent it from being monitored by the Anti-Ransomware module.
Steps:
Go to Settings → Exception Configurations → Legacy Agent Exceptions
Click + Add Rule and select the appropriate platform (Windows)
Select Process Exceptions as the module type
In Target Properties, enter the process name: photos.exe
In Module Name, select Anti-Ransomware Protection and add it
Define the scope (Global or specific Profiles) and click Create
Alternatively, you can add the specific file hash of the legitimate Photos.exe binary to the Allow List (Hash Exceptions). This approach is useful if the behavior is isolated to a specific version of the executable.
You can confirm that the alert was triggered by decoy file interaction by reviewing the alert data dump. Indicators typically include file paths similar to:
C:\ProgramData\Cyvera\Ransomware\...\ZZZZZ.doc
C:\Users\<user>\Pictures\!!!!!.jpg
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
