Trojan:Win32/Malgent!MSR, Trojan:Win32/Malgent!MTB, Trojan:Win32/Malgent!MBT, Trojan:Win32/Malgent!AMTB, and HackTool:Win64/Malgent!MSR are Microsoft Defender detections that should be treated as real compromise warnings until proven otherwise. The Trojan labels point to malware behavior such as backdoor access, credential theft, or additional payload delivery, while the HackTool label can appear when Defender sees driver/tool behavior that attackers can use to disable protection. A browser-cache hit, a known admin tool such as FRST64.exe, or a recently fixed vendor false positive may need a careful check, but a suspicious archive, compromised account, truesight.sys driver alert, or repeated detection should stay blocked while you verify the source.
What should you do about Malgent!MSR, !MTB, !MBT, or !AMTB?
- Keep the item quarantined or removed. Do not allow or restore the file just because the suffix is
!MTB,!MBT, or!AMTB. - Disconnect from the network if the file ran or Defender reports remediation incomplete.
- For browser-cache alerts, clear the affected browser cache after quarantine and rescan before restoring anything.
- For known tools such as
FRST64.exe, verify the download source and submit the file for review before allowing it. - For
truesight.sysalerts, treat the driver as high risk until you confirm it belongs to a current, trusted tool and is not loaded as an AV/EDR killer. - Check persistence: startup entries, scheduled tasks, services, drivers, AppData/Temp files, and unusual DLLs.
- Change passwords from a clean device if you opened the suspicious file or saw remote-control symptoms.
| Detections | Trojan:Win32/Malgent!MSR, Trojan:Win32/Malgent!MTB, Trojan:Win32/Malgent!MBT, Trojan:Win32/Malgent!AMTB, HackTool:Win64/Malgent!MSR |
| Detected by | Microsoft Defender Antivirus |
| Risk | Backdoor activity, credential theft, additional payloads, driver/tool abuse |
| Common user symptom | Defender finds the threat, but quarantine or removal does not finish cleanly |
| Common false-positive lane | Browser cache files, diagnostic tools such as FRST64.exe, official Tor Browser or another trusted app after a security-intelligence update, or an older trusted utility that should be verified before restore |
| Best first action | Quarantine, disconnect if executed, scan fully, then check services and drivers |
What is Trojan:Win32/Malgent?
Microsoft Security Intelligence describes Malgent as an adaptable Trojan commonly delivered through social engineering or tampered software. Recent Microsoft notes mention weaponized versions of legitimate open-source tools and DLL sideloading, where a trusted-looking app loads a malicious DLL placed beside it.
The suffix, such as !MSR, !MTB, !MBT, or !AMTB, is part of Microsoft Defender detection naming and does not make the alert safe by itself. The file path and how the file arrived matter: unsolicited ZIP files, cracked installers, fake job documents, browser-cache objects, Tor/update folders, or tools from messaging apps all require different handling.
If Defender shows Malgent!MTB, !MBT, or !AMTB
Trojan:Win32/Malgent!MTB, Trojan:Win32/Malgent!MBT, and Trojan:Win32/Malgent!AMTB are Malgent-family Defender signatures. The suffix changes the exact signature Microsoft used, not the user workflow: keep the item blocked, record the affected path, check the source of the file, update Defender security intelligence, and scan the whole system before restoring anything.
| Tor Browser, browser cache, or trusted app update | Update Defender, confirm the app came from the official source, clear cache when the affected item is temporary browser data, and rescan. Restore only if the vendor or Microsoft clears the exact file. |
| Archive, crack, tool, or unknown download | Treat the alert as real. Do not run the file again, remove the package, check recent downloads and startup locations, and change passwords from a clean device if it executed. |
| Alert returns after removal | Look for the installer, scheduled task, service, browser profile item, or companion payload that recreates the detection. This is the point where a full Gridinsoft scan is more useful than repeatedly pressing Remove in Defender. |
If you are comparing multiple Defender labels, use the Microsoft Defender detection-name guide to read the family, platform, suffix, and status together instead of treating one suffix as automatically safer than another.
HackTool:Win64/Malgent!MSR and truesight.sys
HackTool:Win64/Malgent!MSR is a related Defender label for Malgent-family hacktool behavior. If the alert names C:\Windows\System32\drivers\truesight.sys, do not assume it is safe only because the file name looks like a driver. truesight.sys has been associated with RogueKiller/Adlice driver components, and public reporting on Check Point research has documented malware campaigns that abuse legitimate or vulnerable drivers to bypass endpoint protection.
A legitimate driver should have a clear publisher, expected install source, current version, and a normal service entry. A suspicious case usually has one or more of these signs: the file appeared after a cracked tool or unknown installer, Defender reports it repeatedly, removal fails because the driver is loaded, the signature/version looks old or unusual, or security tools stop working around the same time.
| Likely legitimate | You intentionally installed a current trusted security tool, the publisher/signature matches, and Defender stops alerting after updates. |
| Likely unsafe | The driver appears in System32\drivers without a known install source, returns after quarantine, or coincides with disabled security tools. |
| Do not do | Do not manually restore the driver or delete random driver files before recording the exact path, detection name, and service details. |
When users report that Defender detects truesight.sys but a second scanner does not, the practical question is not “which scanner is always right?” It is whether the driver is expected on this PC, current, signed by the right publisher, and tied to software the user knowingly installed. If any of those checks fail, handle it as a removal case rather than a simple false positive.
For the vulnerable-driver angle, compare this case with the WinRing0x64.sys driver guide and the Vigorf/FanControl false-positive guide: those pages show when a driver-backed tool is expected, signed, and current versus when it becomes a persistence or protection-bypass warning. If the Malgent alert followed a crack, KMS activator, or license-bypass tool, use the HackTool:Win32/Crack guide before restoring anything.
Could Malgent be a false positive?
False positives can happen with any antivirus, but Malgent is not a detection to casually ignore. If the file came from a trusted developer and you have a reproducible false-positive case, submit it to Microsoft and the vendor. On a normal user PC, do not restore it while waiting.
| Browser cache path | Keep the item quarantined, clear the affected Chrome/Firefox cache, update Defender, and rescan. Do not restore a random cache object just to inspect it. |
FRST64.exe or another repair tool |
Download only from the official helper source, check the signature/hash when available, and submit the exact file if Defender is the only scanner flagging it. |
| Archive or account compromise | If the alert followed a ZIP/RAR extraction or social accounts were accessed, treat it as a real incident: scan, remove persistence, and rotate passwords from a clean device. |
How to remove Trojan:Win32/Malgent or HackTool:Win64/Malgent
- Let Defender quarantine or remove the detected item, whether the suffix is
!MSR,!MTB,!MBT, or!AMTB. - If the file was executed, disconnect from Wi-Fi/Ethernet until scanning is complete.
- Update Microsoft Defender security intelligence and reboot.
- Run a full Defender scan. If Defender says remediation is incomplete, run Microsoft Defender Offline or boot into Safe Mode before trying removal again.
- For a driver alert such as
truesight.sys, check whether a matching service or driver entry is still loaded. Do not restore it from quarantine. - Run a full Gridinsoft Anti-Malware scan to look for the installer, loader, persistence entry, or companion payload that placed the driver or caused the repeated alert.
- Inspect Task Scheduler, Startup Apps, Services, Drivers, and Run registry locations.
- Delete suspicious files from Temp, Downloads, and AppData only after noting their names for review.
- Change important passwords from another clean device if credentials may have been exposed.
Defender can quarantine the visible file while the component that dropped it remains in Startup, Task Scheduler, a service entry, a browser profile, or an installer folder. Gridinsoft Anti-Malware makes this cleanup easier by checking the visible detection together with common persistence locations, hidden files, bundled apps, and related payloads before you decide the PC is clean.
Defender can quarantine the visible file, but repeated alerts may mean a loader, scheduled task, service, browser change, or bundled component is recreating it. Scan the PC before trusting the cleanup.
Scan for hidden leftoversPersistence points to check
| Startup folders | shell:startup and shell:common startup |
| Run keys | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Scheduled tasks | Unknown tasks that launch from AppData, Temp, Downloads, or a cracked-tool folder |
| Services and drivers | Unexpected driver/service entries pointing to System32\drivers, Temp, AppData, or unsigned locations |
| Suspicious DLLs | DLL files sitting beside a trusted-looking EXE from an archive |
FAQ
Is Trojan:Win32/Malgent!MSR, !MTB, !MBT, or !AMTB severe?
Yes. Treat these Malgent-family detections as severe until the affected path, source, and updated scans prove a false-positive case.
What if Defender shows HackTool:Win64/Malgent!MSR in truesight.sys?
Keep it blocked and investigate the driver source. A current, trusted security tool may use a legitimate driver, but an old or modified truesight.sys copy in C:\Windows\System32\drivers can be abused to interfere with protection.
Why does Malwarebytes not detect it if Defender does?
Different security tools use different signatures, cloud rules, and behavior models. A clean result from one scanner is useful context, but it does not automatically make a Defender HackTool or Trojan alert safe.
What if Defender cannot quarantine or remove it?
Disconnect, update Defender, run Defender Offline or Safe Mode removal, and check whether a driver/service is still loaded. If the alert returns, look for the installer or persistence entry that is restoring it.
Is a Malgent alert in Chrome cache, Tor Browser, or FRST64.exe always malware?
No. Browser cache objects, official Tor Browser builds, and trusted diagnostic tools can trigger false positives, but you should verify the source, keep the item quarantined, rescan after updates, and avoid restoring the file until Microsoft or the vendor clears it.
What changed when Defender says Malgent!MTB, !MBT, or !AMTB instead of !MSR?
The suffix identifies the specific Defender signature or model result. Your decision still depends on the file path, how the file arrived, whether it ran, and whether the alert returns after quarantine.
Should I reinstall Windows?
If the Trojan or hacktool ran and you cannot confirm cleanup, reinstalling may be safer than trusting a partially cleaned system, especially on work, banking, or password-manager PCs.
References
- Microsoft Security Intelligence. “HackTool:Win64/Malgent!MSR threat description.” Microsoft, accessed June 13, 2026. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool%3AWin64%2FMalgent%21MSR&ThreatID=2147834481
- Microsoft Security Intelligence. “Trojan:Win32/Malgent threat search and variant descriptions.” Microsoft, accessed June 19, 2026. https://www.microsoft.com/en-us/wdsi/threats/threat-search?query=Trojan%3AWin32%2FMalgent
- Ravie Lakshmanan. “2,500+ Truesight.sys Driver Variants Exploited to Bypass EDR and Deploy HiddenGh0st RAT.” The Hacker News, February 25, 2025, accessed June 14, 2026. https://thehackernews.com/2025/02/2500-truesightsys-driver-variants.html
