Msedge_proxy detected using sihost.exe tag as Behavioral threat "process spoofing" bu our cortex XDR

Copper Contributor


We recently identified (Monday, October 3, 2022) that there was being flagged as a high behavioral threat by our endpoint protection (Cortex XDR) on multiple computers across our organization; upon checking the incident case, All of them are being executed by msedge_proxy.exe which chains its command to sihost.exe. I want to know if this is a false positive and if it's normal or a bug. Please see the details I can provide below:


Cortex Info:


Alert Name: Behavioral Threat

Source: XDR Agent

Category: Malware

Module: Behavioral Threat Protection

Severity: High

Description: Behavioral threat detected (rule: parent_process_spoofing) 

Action: Detected (Reported)




Process Information:

Command Line : "c:\program files (x86)\microsoft\edge\application\msedge_proxy.exe" --notification-launch-id=0|1|default|0||n#
Original Command Line
 : "C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe" --notification-launch-id=0|1|Default|0||n#
File Name
 : msedge_proxy
 : microsoft edge
 : microsoft corporation
 : copyright microsoft corporation. all rights reserved.
Original Name
 : msedge_proxy.exe
Signature Status
 : Signed
Singature Details
 : Valid
 : Microsoft Corporation
Loaded From TxF
 : 0
Parent PID
 : 15176
Image Path
 : c:\program files (x86)\microsoft\edge\application\msedge_proxy.exe
Image SHA256
 : 89e4d5d11099e0667541e78977444ebe5d41e536f8c23403957d7da3be634f1f
Image MD5
 : 131707b12b97b5a0e810dd7a0d4038dc
Effective SID
 : S-1-5-21-584199959-4099986459-2772195892-1168
From Remote Session
 : 0
Parent Thread ID
 : 4294967295
StartupInfo Parent PID
 : 9276
OS Parent PID
 : 9940


This is one of the computers reporting we detecting all triggering the endpoint with the msedge_proxy.








2 Replies

@lecksbush25 We are also seeing this issue in our Cortex tenant on a few computers. Any updates or additional information on this one?

We've also encountered a similar form of issue. I'd recommend looking closely at content version of the machine at the time of alert.

Palo Alto Support: "I would like to inform you that, these are False positives and also there is a fix release on the content update 710-19689. From the logs I can see that you are in content update 710-19496 that is why you are getting these alerts."