04-17-2026 04:06 AM
Hello Team ,
Again we got a spike for similar StoreDesktopExtension.exe alerts today , Any specific reason ?
CGO : C:\Windows\System32\sihost.exe
Initiator path : C:\Program Files\WindowsApps\Microsoft.WindowsStore_22603.1401.7.0_x64__8wekyb3d8bbwe\StoreDesktopExtension.exe
04-17-2026 11:28 AM
Hello @S.Rembhotkar ,
Greetings for the day.
The spike in alerts for StoreDesktopExtension.exe is a known issue involving false positive detections by the Cortex XDR Local Analysis engine.
Legitimate Microsoft Updates:
StoreDesktopExtension.exe is a legitimate Microsoft Windows Store component. Microsoft frequently updates this binary, which changes its file hash.
Local Analysis Heuristics:
When a new version is released, the Local Analysis module (Component 55) may flag the binary as a "Suspicious executable" (CyveraStatus c0400055) based on its machine-learning model before a global WildFire verdict is synchronized to the endpoint.
Communication Failures:
If an endpoint cannot reach the WildFire cloud due to proxy timeouts, DNS issues, or SSL inspection (DPI), it defaults to the local analysis verdict, which may be "Malicious".
Stale Local Cache:
Even after the verdict is updated to "Benign" in WildFire, endpoints may continue to alert if they are utilizing an outdated verdict stored in the agent's local cache.
1. Update Content Version
A permanent fix for these Microsoft Store binaries was included in newer Content Updates. Ensure your endpoints are running Content Version 2130-30377 or later (preferably 2150 or higher).
2. Clear Agent Database
To force the agent to refresh its local verdict cache and retrieve the updated "Benign" status from the cloud, perform a Clear Agent Database action from the XDR Console. Alternatively, restart the agent services using cytool:
You can add a wildcard path exclusion to your Malware Profile under the "Portable Executable and DLL Examination" module:
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
04-20-2026 01:20 AM
Hi,
This is a known False Positive. StoreDesktopExtension.exe is a legitimate Microsoft Store component, and sihost.exe (Shell Infrastructure Host) as the CGO is completely normal Windows behavior.
To stop the alerts, you can add a file exception in the Cortex XDR console:
Endpoint Security > Exceptions > Add Exception
- Path: C:\Program Files\WindowsApps\Microsoft.WindowsStore_**\StoreDesktopExtension.exe
(using wildcard ** covers future Store version updates as well)
Alternatively, you can add the SHA256 hash of the file directly to your Allow List:
Incident Response > Action Center > Allow List > New Action
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
