Trojan:Script/Ulthar.A!ml is a Microsoft Defender detection that should be judged by the affected file path, source, signature, and behavior, not by the name alone. Script detections deserve caution because a small script can launch commands or download other malware. If the file came from an unknown archive, crack, email attachment, fake update, or download portal, keep it quarantined and remove the source package.
What should you do with Trojan:Script/Ulthar.A!ml?
- Do not restore or allow it first. Keep Defender’s quarantine/removal action.
- Check the affected item path in Windows Security before deleting history.
- Delete the source installer/archive if it came from Downloads, Temp, email, or a crack/repack folder.
- Run a full scan and check startup entries if the file was executed.
| Detection | Trojan:Script/Ulthar.A!ml |
| Type | Script Trojan / machine-learning detection |
| Main risk | Script execution, download of additional payloads, persistence changes |
| Best first action | Quarantine/remove, delete source package, run full scan, verify persistence points |
What is Trojan:Script/Ulthar.A!ml?
Defender names are labels for a detection pattern. Microsoft’s public entry for Trojan:Script/Ulthar.A!ml confirms that Defender detects and removes this threat, while detailed behavior may be limited for generic or machine-learning detections [1]. The useful evidence is still the file path and context: a detection in a trusted signed app has a different risk profile than the same label on a crack, repack, script, or unknown executable.
Could it be a false positive?
Possibly, especially for uncommon tools, scripts, emulators, or newly built software. But do not treat it as a false positive if the file came from an unofficial download, torrent, software crack, fake update page, or message attachment. Submit a verified file to Microsoft only after checking the publisher, source, and hash [3].
How to remove Trojan:Script/Ulthar.A!ml
- Open Windows Security → Virus & threat protection → Protection history.
- Open the detection and note the affected item path.
- Choose Remove or Quarantine.
- Delete the original installer, archive, or extracted folder.
- Uninstall suspicious apps installed on the same date.
- Check Startup Apps, Task Scheduler, and unknown browser extensions.
- Update Defender and run a full scan after reboot [2].
- If the alert keeps returning, run a second-opinion scan with Gridinsoft Anti-Malware to check remnants, startup items, and companion files.
If the Ulthar script alert returns after cache cleanup or reboot, look for the source that keeps loading it: a browser extension, downloaded page, fake update, scheduled task, or companion app. A full scan is useful before you decide it was only a blocked script.
Defender can quarantine the visible file, but repeated alerts may mean a loader, scheduled task, service, browser change, or bundled component is recreating it. Scan the PC before trusting the cleanup.
Scan for the script source and browser changesFAQ
Should I allow Trojan:Script/Ulthar.A!ml?
No, not on a normal PC. Allow only in an isolated lab or after Microsoft/vendor confirms a false positive.
Why does it come back after removal?
The source archive, extracted copy, browser cache, scheduled task, or companion app may still be present.
Do I need to reinstall Windows?
Usually no if Defender blocked the file before execution. Consider deeper recovery if the file ran, Defender says remediation incomplete, or suspicious startup/network behavior remains.
Related script detection: Gridinsoft also covers Trojan:Script/Conteban.A!ml, another Defender script alert where the source archive, cache path, and repeat behavior decide the cleanup steps.
