- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-08-2026 03:54 AM
Hi @J.Huchtktter ,
I checked the wildfire portal for that hash and noticed the behavioral summary is older than the latest verdict status change.
When the Behavioral summary shows an older date (July 7) but the Verdict status says Updated on a newer date (July 8), it usually means the sandbox didn't actually re-run the file. Instead, Palo Alto Networks' threat intelligence backend updated a global detection rule or flag on July 8 that retroactively applied to the behaviors recorded during that original July 7 session.
Essentially, a backend heuristic rule change overnight made WildFire look back at that specific July 7 behavior and decide, "Wait, we now classify that pattern as malware."
Because this is a core Microsoft Edge file, it confirms that a newly deployed backend rule is being overly aggressive and has caused a global false positive.
Please submit an Incorrect Verdict / False Positive appeal through the WildFire portal. When the research team looks at the submission, they will see that the newly updated rule accidentally snagged a signed Microsoft component and they will manually roll back/fix the signature.
In the meantime, you can whitelist or create an exception for this specific hash in XSIAM to keep your users from running into browser issues.
Hope this helps,