Cortex XDR doesn't like Enhanced applets

Our company has deployed a new malware protection scheme.

Every time I try to run an enhanced applet I get a message like the one below.

I’ve reported this to the administrators and they’re trying to make a local exception but there seems to be something about enhanced apps that Cortex XDR finds suspect.

Exact same app as an AppleApplet runs just fine.

→ Script Debugger 8.0.5 (8A61)
→ MacOS 12.6.4

Prevention ID: c1348780-39b0-4b21-bdf4-c33f79abe69a
Machine name: CT-FVFH4218Q6L5
OS Name: OS X 12.6.4
OS Version: 12.6.4
Cortex XDR version:
Dump path:
Content Version: 920-51196
Mode: Terminate
Module name: WildFire
Date: 5/3/23, 3:33:02 PM
Verdict: Grayware
Source Process ID: 3596
Source Process Command-Line: /Users/estockly/Production/Business MarketRoundup-2023-03-23/Business Graphics Apps and AppleScripts/ Business Market Roundup and Dow
Source User Name: estockly

Is it Sparkle or are you loading a web page using the script? I have a few large companies with paloaltonetworks software running. The domain being used for either could trigger it if not added to their list of known domains.

I do not have or use Sparkle.

I do have some enhanced applets that do not trigger Cortext XDR.

Is there any documentation describing what would cause the Grayware verdict?

Apparently it doesn’t like this file: FancyDropletFat

I’m getting alerts and they’re getting concerned.

Update: XDR flagged 17 apps on my company issued mac as malware. It prevents me from using those apps. I have converted the ones I still use to Apple applets, which do no get flagged, and deleted the rest.

One app that was flagged was an old version of Script Geek. The new version (2.02) was not flagged. In that case it seems the exec file was also the issue.