Microsoft Defender wrongly flagged DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha on April 30, removing some certificates from the Windows trust store and triggering false alerts on systems worldwide.
KEY FACTS
- Detection Microsoft added the alert in a Defender signature update on April 30.
- Impact Some affected Windows systems removed DigiCert root certificate entries from the AuthRoot store.
- Certificates Two certificate fingerprints were reported as flagged by the false positives.
- Fix Microsoft said Security Intelligence version 1.449.430.0 or later resolves the issue.
Administrators began reporting the problem on April 30 and May 1, with some users seeing the certificates removed from Windows trust store entries. The certificates identified in the reports had the fingerprints 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4.
Microsoft later said the false alerts were suppressed and cleaned up after the alert logic was updated. The company said customers should install Security Intelligence version 1.449.430.0 or later and do not need to take additional action for the alerts.
The issue followed a DigiCert security incident disclosure that said threat actors obtained initialization codes for a limited number of code-signing certificates. DigiCert said it revoked 60 code-signing certificates, including 27 linked to a malware campaign.
The company said the breached support environment exposed initialization codes for approved, but undelivered, EV code-signing certificate orders. It said the certificates flagged by Microsoft were root certificates in the Windows trust store and did not match the revoked code-signing certificates used to sign malware.
Separately, researchers said some newly issued DigiCert certificates were used in the Zhong Stealer campaign, which distributed malware through phishing emails, decoy images, cloud-hosted payloads, and signed binaries.
WHY IT MATTERS
The false positives caused confusion for Windows users and administrators and, in some cases, led to removed trust store certificates that could affect system trust settings. Microsoft said the issue is fixed, but the incident shows how security detections can create disruption when they overlap with active certificate abuse investigations.