🟑 Medium   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2012 R2

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Windows Defender on Windows Server 2012 R2 quarantines a trusted business application as a generic Trojan, breaking workflows and triggering false-positive incidents.

Environment & Reproduction

Reproducible when newer signatures hit unsigned or in-house binaries.

Get-MpComputerStatus | Select AMServiceEnabled,AntivirusSignatureVersion
Get-MpThreat

Root Cause Analysis

Heuristics or cloud-delivered detection flags legitimate code that has unusual entropy, packed sections, or lacks signing.

Quick Triage

Inspect threat history and quarantine.

Get-MpThreat
Get-MpThreatDetection
Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' -MaxEvents 30

Step-by-Step Diagnosis

Validate the file with a sandbox and check ASR rules.

Get-MpPreference | Select AttackSurfaceReductionRules_Ids,AttackSurfaceReductionRules_Actions
Get-FileHash 'C:Program FilesAppapp.exe'
Illustrative mockup for windows-server-2012-r2 β€” error_dialog
Defender threat dialog β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Add a narrow exclusion for the verified path or publisher.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Add-MpPreference -ExclusionPath 'C:Program FilesApp'
Add-MpPreference -ExclusionExtension '.dat'
Start-MpScan -ScanType QuickScan
Illustrative mockup for windows-server-2012-r2 β€” terminal_or_powershell
Get-MpThreat output β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Submit the file to Microsoft for false positive review and adjust ASR.

Set-MpPreference -AttackSurfaceReductionRules_Ids  -AttackSurfaceReductionRules_Actions AuditMode

Verification & Acceptance Criteria

Application runs without quarantine and threat count stays clean.

Get-MpThreat
Get-MpComputerStatus

Rollback Plan

Remove exclusions once Microsoft updates signatures.

Remove-MpPreference -ExclusionPath 'C:Program FilesApp'

Prevention & Hardening

Sign internal binaries, maintain an exclusion inventory, and review ASR audit logs.

Get-MpPreference | Select ExclusionPath | Export-Csv C:Tempdefender-exclusions.csv -NoTypeInformation

Linked with AppLocker rule blocks, Smart Screen warnings, and Code Integrity events.

Related tutorial: View the step-by-step tutorial for Windows Server 2012 R2.

View all Windows Server 2012 R2 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Microsoft Defender Antivirus exclusions and false positive submission.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.