01-13-2026 04:01 AM
Hi,
recently i receive a lot alerts, related with StoreDesktopExtension.exe , this is usually a legitimate Microsoft Store component.
Anyone with same issue?
01-13-2026 05:08 AM
Support information:
Probable Root Cause :
I would like to inform you that I checked the HASH in our Wildfire portal, and would like to inform you that, Initially the file had a local verdict of malware, due to which a local analysis alert got triggered.
Currently, the file is classified as benign, and therefore its a legitimate application, and we can consider the alerts to be false positives.
As the verdict is globally flagged as a benign file, once the verdict is updated on your endpoints, the alerts will be stopped.
If you are still receiving the alerts, please restart the agent services by following the command:
- Open the command prompt with administrative privileges
- Navigate to C:\Program Files\Palo Alto Networks\Traps
- Run the below command to stop the agent services
#cytool runtime stop
- Run the below command to start the agent services
#cytool runtime start
01-13-2026 05:08 AM
Support information:
Probable Root Cause :
I would like to inform you that I checked the HASH in our Wildfire portal, and would like to inform you that, Initially the file had a local verdict of malware, due to which a local analysis alert got triggered.
Currently, the file is classified as benign, and therefore its a legitimate application, and we can consider the alerts to be false positives.
As the verdict is globally flagged as a benign file, once the verdict is updated on your endpoints, the alerts will be stopped.
If you are still receiving the alerts, please restart the agent services by following the command:
- Open the command prompt with administrative privileges
- Navigate to C:\Program Files\Palo Alto Networks\Traps
- Run the below command to stop the agent services
#cytool runtime stop
- Run the below command to start the agent services
#cytool runtime start
01-13-2026 05:45 AM
We are having the same issue this morning within the last hour. Thank you for the solution provided.
-Adam
01-13-2026 05:47 AM
I've had 10 hosts with this alert since yesterday. Most came overnight. It's also flagging sihost.exe on 1 host but associating it with the same alert.
StoreDesktopExtension.exe
adee0ec3096b4778f6a5951647371f3ff67b8fa0d96c37fb795bcfcfe0e1154e
sihost.exe
1e115ef87c00e685f8e7b1b184eb9fa3470a0ec75b678a70d3d2d3cbfde3dcb7
01-13-2026 06:55 AM
same situation on my side...support say is a False Positive.
01-13-2026 11:38 AM
i am having this problem since yesterday night and even though the process are showing benign the alerts are not stopping. do we need manually add the HASH to allow list to stop the alerts ?
01-14-2026 12:58 AM
We have more than 100 host getting the same alert, running this command on all host will be difficult, can we exclude this alert?
01-14-2026 03:54 AM
When devices start updating the WF and tenant information again, the alerts will be closed automatically.
01-14-2026 03:57 AM
on my case, i close all issues as false positive, and write command (information give by support).
but you can add hash to allowlist and alerts close....or force the healthcheck devices, and devices connect again to the tenant and update information and start close the issues...At least that is what support told us.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
