01-20-2026 04:12 AM
It was repported on the 13th that StoreDesktopExtension.exe was flagged as malicious by wildfire it is now being flagged as grayware and is flooding us with alerts anyone else experiencing the same?
01-20-2026 04:23 AM
This file was initially flagged by the Local Analysis module or WildFire but has since been reclassified as Benign globally.
If the alerts persist despite the global verdict being Benign, the endpoint may have a stale verdict in its local cache. You can force the agent to re-fetch the correct verdict by clearing its local database.
1) Open an administrative command prompt on the affected endpoint.
2) Stop the agent services (requires the agent uninstall password):
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect disable
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime stop
3) Navigate to C:\ProgramData\Cyvera\LocalSystem\Persistence3\ and delete the following files:
wf_verdicts.db
wf_verdicts.db.lru
wf_retransmissions.db
4) Restart the agent services:
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime start
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect enable
Let me know if your query is answered, Thank you!
01-20-2026 04:18 AM - edited 01-20-2026 04:20 AM
Nos esta pasando lo mismo con StoreDesktopExtension.exe actualmente, alguna respuesta desde Palo Alto?
727d070460fa4764822b5286b1d9b8fbb5512b6e84ad645a99cb34dcede97647
01-20-2026 04:23 AM
This file was initially flagged by the Local Analysis module or WildFire but has since been reclassified as Benign globally.
If the alerts persist despite the global verdict being Benign, the endpoint may have a stale verdict in its local cache. You can force the agent to re-fetch the correct verdict by clearing its local database.
1) Open an administrative command prompt on the affected endpoint.
2) Stop the agent services (requires the agent uninstall password):
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect disable
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime stop
3) Navigate to C:\ProgramData\Cyvera\LocalSystem\Persistence3\ and delete the following files:
wf_verdicts.db
wf_verdicts.db.lru
wf_retransmissions.db
4) Restart the agent services:
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime start
"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect enable
Let me know if your query is answered, Thank you!
01-20-2026 04:26 AM
on our end it says the verdict changed today from benign to grayware. has it been changed back to benign since this?
01-20-2026 04:45 AM
It is now being flagged as benign for us
01-20-2026 06:11 AM - edited 01-20-2026 06:12 AM
Gracias por tu respuesta,
Por el momento las alertas cesaron, y en nuestra consola tambien fue marcado como Benign.
01-21-2026 12:39 AM
because the windows store is installed on almost every windows device, we get many incidents as well. even after the verdict was changed back to benign, we still receive multiple alerts of machines which did not retrieve the latest verdict yet. the same thing happened last week with similar files. are there plans for a solution which prevents these windows store executables false positives from popping up in the first place?
01-21-2026 02:41 AM
Add the specific file hash to the Allow List in the Cortex XDR console. This will permit the file to run regardless of the WildFire verdict .
1. Navigate to Incident Response > Action Center > Allow List.
2. Click + New Action and enter the SHA256 hash for StoreDesktopExtension.exe.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
