Microsoft Defender detection names can look cryptic, but they follow a pattern. A name such as Trojan:Win32/Kepavll!rfn tells you the detection type, platform, family, and sometimes an internal Microsoft suffix. The name alone does not prove whether your specific file is a false positive or a real infection. The file path, source, signature, Defender status, and repeat behavior matter more.
If the screen is not a malware detection but a Microsoft identity prompt, verify the application context before approving it. We have a separate guide for the Microsoft Defender Platform cab96880 sign-in prompt, including Entra log checks and phishing red flags.
For a PowerShell-specific example, see our Trojan:PowerShell/Barys removal guide, which focuses on quarantine, exclusions, scheduled tasks, and repeated Defender alerts. If the exact alert says Trojan:Win32/MpTamperSrvDisableAV.H, treat it as a Defender-tampering case and check exclusions, services, and repeat detections before clearing history.
This reference explains how to read Defender names and links to Gridinsoft guides for common detections. If the alert is PUA:Win32/Softcnapp, start with the false-positive versus removal checks before allowing the file.
For exact Trojan:Win32 alerts with current cleanup guidance, see Trojan:Win32/Wacatac.H!ml, Trojan:Win32/Leonem, and Trojan:Win32/Casdet!rfn.
If you clicked Allow by mistake instead of quarantining a threat, use our guide to undo an allowed threat in Windows Defender before clearing history or restoring files.
If Protection History says Remediation incomplete, Status: Failed, Quarantine failed, or Threat abandoned, treat it as a status to verify, not as automatic proof that the PC is still infected. Copy the detection name, affected path, action status, and date first; then check whether the original PDF, archive, download, or cache item still exists and whether the alert returns after a full scan.
If the alert is Trojan:Win32/Etset!rfn, use the Etset Defender removal and false-positive checklist before restoring the file or adding an exclusion.
How Microsoft Defender names detections
Microsoft says its malware and unwanted software names follow the CARO naming scheme. In a typical Defender name, the part before the colon is the type, the part after the colon is the platform, the part after the slash is the family, and a suffix beginning with ! is an internal Microsoft indicator.
| Example | Trojan:Win32/Kepavll!rfn |
| Type | Trojan means Defender believes the file behaves like a trojan or is part of a trojan-related family. |
| Platform | Win32 means Windows 32-bit platform naming, commonly used for Windows detections even on modern Windows versions. |
| Family | Kepavll, Malgent, Vigorf, Snackarcin, or another family/label Microsoft uses internally. |
| Suffix | !ml, !MSR, !rfn, !aml, and similar suffixes are internal indicators. Treat them as context, not as a complete diagnosis. |
Microsoft documents the Defender naming scheme and Protection History status wording; the compact References section lists the official pages used here.
False positive or real malware?
Use this decision table before restoring, deleting, or ignoring a Defender alert.
| Situation | Risk level | What to do |
| The file came from a crack, keygen, repack, torrent, fake update, unknown Discord/Telegram link, or random archive. | High | Keep it quarantined, delete the source download, run a full scan, and check persistence. |
The file is in Downloads, Temp, AppData, browser cache, or a user profile folder. |
Medium to high | Verify the exact path and scan the file before trusting it. |
| The file belongs to a known signed vendor app, driver, developer tool, or hardware utility. | Ambiguous | Check the digital signature, hash, vendor advisory, and whether Microsoft has updated definitions. |
| Defender says Remediation incomplete, the alert returns after reboot, or more detections appear. | High | Run Defender Offline, MSERT/Safety Scanner, and check startup entries, services, scheduled tasks, and browser extensions. |
| Only one scanner flags a clean, signed, reproducible file from the official vendor. | Possible false positive | Submit the file to Microsoft and wait for a definition update before restoring it. |
What Defender remediation statuses mean
Protection History can show several statuses for the same detection, especially when the affected item was inside a PDF, archive, browser cache, email attachment, or download that changed while Defender was acting on it. Use the status as a triage signal and confirm it against the affected path and repeat behavior.
| Status in Protection History | What it usually means | What to do next |
| Threat quarantined | Defender blocked the item and moved it into quarantine so it cannot run normally. | Do not restore it unless you have verified the file source, signature, and false-positive context. Delete the original download or attachment if it is untrusted. |
| Threat blocked or Threat removed | Defender says it stopped or removed the detected item. | Check how the file arrived, run a full scan, and watch for the same alert returning after reboot or after opening the same archive, PDF, or browser page again. |
| Remediation incomplete or Status: Failed | Defender tried to finish cleanup but could not complete every step, or the item changed/disappeared before the final action was recorded. | Find the affected path. If the source file still exists, delete it when untrusted. Update Defender, run a full scan, and use Defender Offline or Safety Scanner if the alert returns. |
| Quarantine failed | Defender could not place the item into quarantine. This can happen when the file is locked, inside an archive, already deleted, or no longer at the recorded path. | Check whether the file still exists. If it does, do not open it; delete the source or scan it from a clean state. If it is gone and scans are clean, keep monitoring instead of clearing history immediately. |
| Threat abandoned | The cleanup attempt was abandoned, often because the target file was no longer available or another Defender action already handled it. | Treat this as ambiguous until you confirm the path, run a full scan, and verify that the alert does not return. Escalate if there are new detections, startup entries, browser changes, or account symptoms. |
Do not clear Protection History just to make the warning disappear. Clearing history can remove useful evidence before you know the detection name, affected item, and action result.
If Start actions does nothing or Remove will not open
When Windows Security says Threats found but Start actions, Remove, or the action menu does not open, do not erase Protection History first. Record anything still visible: detection name, affected item path, action status, date, and whether the same warning returns after a reboot. If the card is blank or incomplete, check Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational for the matching timestamp.
Use this order before deciding the PC needs a reset: update Defender protection intelligence, reboot once, run a full scan, then run Microsoft Defender Offline if the same alert returns or the affected file still exists. If Windows Security says no current threats but keeps showing old notifications, use the clean-scan popup checklist to separate stale history from a recurring detection. If you accidentally allowed the item, follow the allowed-threat undo steps instead of clearing the event.
If the stuck action followed a crack, fake installer, email attachment, browser download, or a file that already ran, the visible Defender card may not be the only cleanup point. A loader, scheduled task, service, browser change, or bundled module can recreate the alert after Defender handles the first file. After saving the Defender details and running the Microsoft checks above, use Gridinsoft Anti-Malware to look for hidden files, startup entries, scheduled tasks, browser changes, and persistence.
Safe response workflow
- Open Windows Security > Virus & threat protection > Protection history.
- Copy the exact detection name, affected file path, action status, and date.
- Do not restore the file until you know where it came from.
- If the affected item is an untrusted PDF, archive, installer, email attachment, or browser download and it still exists, delete the original source file before restoring or allowing anything.
- Run a Microsoft Defender full scan. If the alert returns, or if Protection History still says remediation failed for a file that still exists, run Microsoft Defender Offline or Microsoft Safety Scanner.
- Check persistence points: Startup apps, Task Scheduler, Services, browser extensions, and suspicious folders under
AppDataandTemp. - Use Gridinsoft Anti-Malware as a second-opinion scan when the file source, path, or Defender status is suspicious.
- If you executed a crack, keygen, fake installer, or stealer, change important passwords from a clean device.
If your exact label is not in the table yet, treat the family name as a route, not as the whole verdict. For labels such as Trojan:Win32/Etset!rfn, Trojan:Win32/Egairtigado!rfn, or Trojan:Win32/Caynamer.A!ml, use the same checklist: save the affected path, source, Defender status, and repeat behavior, then choose the closest guide by behavior or suffix when there is no dedicated guide.
Common Microsoft Defender detection guides
| Detection | Typical intent | Guide |
Trojan:Script/Conteban.A!ml |
Script/archive alert, false positive check, and safe quarantine workflow | Conteban.A!ml guide |
Trojan:Win32/Skeeyah.A!rfn |
Browser-cache, download, and quarantine decision workflow | Skeeyah.A!rfn guide |
Trojan:MSIL/Heracles |
.NET/MSIL variant alert, false-positive review, and recurrence cleanup | Heracles guide |
Trojan:Win32/Cerdigent.A!dha |
DigiCert/rootcert false positive vs real file detection | Cerdigent.A!dha guide |
Trojan:Win32/Kepavll!rfn |
False positive vs game/mod/crack risk | Kepavll!rfn guide |
Trojan:Win32/Vigorf.A |
WinRing0, OpenRGB, FanControl, vulnerable driver context | Vigorf.A guide |
Trojan:Win32/Agent |
Generic trojan detection workflow | Trojan:Win32/Agent guide |
Trojan:Win32/JScealTaskExec |
PowerShell, scheduled-task, and Defender-exclusion persistence checks | JScealTaskExec guide |
Trojan:Win32/PowExcScr.HB!MTB |
PowerShell exclusion attempts, Startup .scr files, and repeat alerts | PowExcScr.HB!MTB guide |
Trojan:Win32/MpTamperSrvDisableAV.H |
Defender service tampering after cracks, scripts, fake optimizers, or loaders | MpTamperSrvDisableAV.H guide |
Trojan:PowerShell/Asyncrat!rfn |
Obfuscated PowerShell loader and remote-access trojan risk | Asyncrat!rfn guide |
Trojan:Win32/Ravartar!rfn |
Outlook attachment, cache, download, and quarantine decision workflow | Ravartar!rfn guide |
Trojan:Win32/VMProtect |
Packed or protected executable checks before restoring a file | VMProtect guide |
Trojan:Win32/Acll |
Generic Acll/Acll!rfn alert triage and removal checks | Acll guide |
Trojan:Win32/Sfone!pz |
External drive, Recycle Bin, and removable-media cleanup decisions | Sfone!pz guide |
Trojan:Win32/WinLNK.CLL!MTB |
Recovery package or shortcut-style alert triage before deleting or restoring files | WinLNK.CLL!MTB guide |
Trojan:Win32/Vundo.gen!D |
Vundo/Virtumonde-style browser hijacking, fake pop-ups, and generic detection context | Vundo.gen!D guide |
Trojan:Win32/Wacatac |
Severe alert, false positive check, removal | Wacatac guide |
Trojan:Win32/Malgent!MSR |
Backdoor/credential theft risk, false positive check | Malgent!MSR guide |
Trojan:Win32/Tnega!MSR |
Removal and stale Protection history | Tnega!MSR guide |
Trojan:PowerShell/AgentTesla.SHD!MTB |
PowerShell-based trojan/stealer risk after fake installers or scripts | AgentTesla.SHD!MTB guide |
PUADlManager:Win32/Snackarcin |
Potentially unwanted downloader/bundled installer | Snackarcin guide |
PUADlManager:Win32/OfferCore |
Bundleware, adware, fake download installers | OfferCore guide |
PUADIManager:Win32/OnePlatform |
Potentially unwanted download manager or bundled installer | OnePlatform guide |
HackTool:Win32/Crack |
Cracks, activators, patched installers | HackTool:Win32/Crack guide |
HackTool:Win64/GameHack!rfn |
Game cheats, trainers, patched game files, and risky cheat loaders | GameHack!rfn guide |
Trojan:Win32/Patched |
Patched EXE/DLL files or modified Windows components | Trojan:Win32/Patched guide |
HackTool:Win32/Keygen |
Key generators, license-bypass tools, and common malware bundles | HackTool:Win32/Keygen guide |
HackTool:Win32/AutoKMS |
KMS activators and fake Windows/Office activation tools | HackTool:Win32/AutoKMS guide |
PUABundler:Win32/PiriformBundler |
Optional offers and unwanted bundled software | PiriformBundler guide |
If the alert is Backdoor:Win64/RogueDaemon.LTSN!MTB after a DAEMON Tools Lite install, use the dedicated RogueDaemon and DAEMON Tools cleanup guide before deciding that the detection is only a false positive.
When to use Gridinsoft Anti-Malware
Use Gridinsoft Anti-Malware when Defender reports a file from an unsafe source, when the detection returns after reboot, when you see browser hijacking or unwanted apps, or when you executed the file before Defender quarantined it. A second-opinion scan is especially useful for bundled installers, cracks, fake updates, and suspicious files under AppData, Temp, or browser cache folders.
Related context: Microsoft later described Fox Tempest’s signed-malware service, a reminder that a valid-looking signature does not make a suspicious download safe.
Related HackTool alert: If Defender names a Netcat-style tool rather than a Trojan family, see our HackTool:Win32/NetCat guide for the nc.exe/nc64.exe false-positive and cleanup decision path.
Related HackTool label: Some Defender alerts point to remote-admin capability rather than a named Trojan family. Our HackTool:Win32/RemoteAdmin!MSR guide explains how to decide whether the alert is an expected admin tool or unwanted remote access.
For a rootkit-family example, see our Trojan:Win64/Rootkit!MTB guide, which explains how the affected path, driver signature, and quarantine status change the cleanup decision.
If Windows Security reports a clean scan while threat banners keep returning, use our Windows Defender no-threats popup checklist before clearing history or disabling notifications.
FAQ
Is my PC safe if Defender says Remediation incomplete but no current threats?
It may be safe, but do not decide from the green dashboard alone. Check the affected path, whether the source file still exists, and whether a full scan or reboot brings the alert back. If the detection came from a file you opened or executed, also check persistence points and important account sessions.
What should I do if quarantine failed but the file disappeared?
Record the detection name and path, then search for the original download, PDF, archive, or cache item. If it is gone and Defender full scan, Defender Offline, or Safety Scanner stays clean, the failed status may be stale history. If the same path or alert returns, treat it as active cleanup work.
Should I clear Protection History to remove the warning?
Clear history only after you have copied the detection name, path, status, and date and confirmed that scans stay clean. Clearing history can hide the evidence you need to decide whether the warning was a stale record, an archive/cache issue, or an unfinished cleanup.
If Defender shows a named alert, read the exact detection guide before allowing, restoring, or deleting the file. Start with the detection type, then check the file source, signature, path, and whether remediation is complete.
- Trojan:Win32/Agent, Trojan:Win32/Vigorf.A, Trojan:Win32/Wacatac, Trojan:Win32/Vundo.gen!D
- Trojan:Win32/Kepavll!rfn, Trojan:Win32/Suschil!rfn, Trojan:Win32/Stealer!MTB, Trojan:JS/ChatGPTStealer!MSR
- HackTool:Win32/Keygen, HackTool:Win32/AutoKMS, HackTool:Win32/Crack!MTB
- PUA:Win32/DNDownloader, PUABundler:Win32/MediaGet, PUADlManager:Win32/Snackarcin
- Virus:Win32/Expiro, PowerShell outbound connection blocked, Fake Chrome update terminal malware
