Skip to content

Add comprehensive documentation for Microsoft Defender false positive detections #2184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
chipitsine merged 7 commits into from
Dec 6, 2025
Merged

Add comprehensive documentation for Microsoft Defender false positive detections #2184

chipitsine merged 7 commits into from
Dec 6, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 5, 2025
edited
Loading

Changes proposed in this pull request:

Problem

Microsoft Defender flags SoftEther VPN 5.x binaries as Trojan:Win32/KepavII!rfn, quarantining executables, services, registry entries, and shortcuts. This breaks installations on Windows 11. The detection is a false positive triggered by heuristic analysis of legitimate VPN operations (network interception, virtual adapters, kernel drivers, service installation).

Solution

Documentation

  • ANTIVIRUS.md: 338-line comprehensive guide covering root causes, step-by-step Windows Defender exclusion configuration, Group Policy setup, false positive reporting process, and FAQ
  • WINDOWS_README.txt: Plain text quick reference for installer packages with immediate remediation steps
  • README.md: Added prominent warning in Windows installation section
  • SECURITY.md: Clarified that antivirus detections are not security vulnerabilities

IT Administrator Tools

  • Production PowerShell script with admin/module checks, error handling, and detailed reporting:
# Checks privileges and Defender availability
if (-not (Get-Module -ListAvailable -Name Defender)) {
    Write-Error "Windows Defender PowerShell module is not available"
    exit 1
}

# Safe exclusion addition with error handling
try {
    Add-MpPreference -ExclusionPath $path -ErrorAction Stop
    Write-Host "✓ Added exclusion: $path" -ForegroundColor Green
} catch {
    Write-Warning "✗ Failed: $($_.Exception.Message)"
}

GitHub Templates

  • Updated bug report template with antivirus warning to reduce duplicate issues
  • Added "Antivirus False Positive Detection" contact link in issue config

Rationale

Code changes cannot prevent heuristic-based detection of legitimate VPN behavior. Documentation-first approach provides immediate user value and establishes foundation for future code signing infrastructure.

Notes

Changes to common.manifest were reverted per maintainer feedback. The PR now focuses purely on documentation and user guidance without modifying build metadata.

Original prompt

This section details on the original issue you should resolve

<issue_title>Microsoft Defender Flags SoftEther VPN 5.x Client Components as Trojan:Win32/KepavII!rfn (False Positive)</issue_title>
<issue_description>### Are you using SoftEther VPN 5.x?

  • Yes, I'm using SoftEther VPN 5.x, not 4.x.

Version

5.02.5187

Component

VPN Client

Operating system & version

Windows 11 Pro for Workstations 25H2 / OS build: 26200.7309

Architecture or Hardware model

13th Gen Intel(R) Core(TM) i7-1355U (1.70 GHz)

Steps to reproduce

Microsoft Defender is repeatedly detecting several SoftEther VPN 5.x Client Developer Edition components as Trojan:Win32/KepavII!rfn, quarantining executable files, registry entries, shortcuts, and even the SoftEther Client service.

This completely breaks the installation and prevents the VPN Client from functioning unless exclusions are manually configured.

I strongly believe this is a false positive, but it is severe enough to disrupt normal operation.

Image Image Image

Details & Affected Items

Microsoft Defender reports:

Detected: Trojan:Win32/KepavII!rfn  
Status: Quarantined  
"This program is dangerous and executes commands from an attacker."

Affected items include:

  • C:\Program Files\SoftEther VPN Client Developer Edition\vpnclient.exe
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SoftEther VPN Client Developer Edition\Administrative Tools\Network Traffic Speed Test Tool.lnk
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SoftEther VPN Client Developer Edition\Config\TCP Optimization Utility.lnk
  • Registry keys under:
    HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\SoftEther VPN Client UI Helper Developer Edition
  • Service flagged:
    SEVPNCLIENTDEV
  • Processes terminated and quarantined by PID

Even after adding full folder exclusions for all SoftEther VPN 5.x paths, Defender still blocks the application on startup.

Steps to Reproduce

  1. Install SoftEther VPN Client Developer Edition 5.02.5187 on Windows 11 25H2.
  2. Launch the client or allow helper applications to run.
  3. Wait for Defender real-time protection to scan executables.
  4. SoftEther components get quarantined automatically.

✔️ Expected Behavior

SoftEther VPN Client should run without antivirus interference.

❌ Actual Behavior

Multiple SoftEther binaries, services, and shortcuts are flagged as a severe threat and quarantined.

Anything else?

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI changed the title [WIP] Fix false positive detection of SoftEther VPN in Microsoft Defender Add comprehensive documentation for Microsoft Defender false positive detections Dec 5, 2025
Copilot AI requested a review from chipitsine December 5, 2025 18:23
@chipitsine
Copy link
Member

chipitsine commented Dec 6, 2025

@copilot please revert changes to manifest

Copy link
Contributor Author

Copilot AI commented Dec 6, 2025

@copilot please revert changes to manifest

Reverted the manifest changes in commit 1ec05c0. The file is now back to its original state.

@chipitsine chipitsine marked this pull request as ready for review December 6, 2025 18:01
@chipitsine chipitsine merged commit d5c2e33 into master Dec 6, 2025
35 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chipitsine chipitsine Awaiting requested review from chipitsine

Assignees

@chipitsine chipitsine

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Microsoft Defender Flags SoftEther VPN 5.x Client Components as Trojan:Win32/KepavII!rfn (False Positive)

2 participants

@chipitsine