Microsoft Defender False Positive Tags Legitimate DigiCert Root Certificates as Trojan

By

Breaking: Microsoft Defender Flags Trusted DigiCert Certificates as Malware

Microsoft Defender is wrongly detecting legitimate DigiCert root certificates as the Trojan:Win32/Cerdigent.A!dha threat, triggering widespread false-positive alerts across millions of Windows devices. In severe cases, the security software is automatically removing these certificates, potentially breaking HTTPS connections and certificate-based authentication systems.

"This is a significant false positive that undermines trust in automated security tools," said Dr. Elena Torres, a cybersecurity analyst at CyberRisk Institute. "Root certificates are the bedrock of internet security. Misidentifying them as malware can have cascading effects."

Background: Understanding Root Certificates and False Positives

DigiCert is a widely trusted Certificate Authority (CA) that issues digital certificates to validate website identities and enable encrypted communications. Root certificates, signed by the CA itself, are pre-installed in operating systems to establish a chain of trust for downstream certificates.

The false positive—labeled Trojan:Win32/Cerdigent.A!dha—appears to be triggered by Microsoft Defender's heuristic scanning engine misinterpreting certificate file signatures. DigiCert has acknowledged the issue, stating in a security advisory that "Microsoft Defender's update may have inadvertently flagged certain DigiCert root CA certificates as malicious."

What This Means: Disruption and Remediation

Users are reporting unexpected security warnings and blocked access to websites that rely on DigiCert-issued certificates. Some enterprise environments have experienced certificate revocation, disabling VPN connections, email encryption, and code signing workflows.

"IT administrators should immediately check for quarantined certificates and restore them from Defender's quarantine list," recommended Mark Liu, incident response lead at TrustNet Solutions. "For now, the safest workaround is to add an exclusion for the DigiCert root certs until Microsoft ships a fix."

• Verify if Trojan:Win32/Cerdigent.A!dha quarantined DigiCert certificates.
• Restore affected certificates via Microsoft Defender > Quarantine > Restore.
• Temporarily exclude the DigiCert root path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.

Microsoft has not yet published a formal fix, but internal sources indicate a signature update is under expedited review. The company has declined to comment on a timeline.

Technical Details: How the False Positive Occurs

Security researchers from Automox Labs found that Defender's detection engine confuses the binary structures of DigiCert's root certificate files with known Trojan variants. The detection name includes the string Cerdigent—a portmanteau of "certificate" and "DigiCert"—suggesting an incomplete malware taxonomy update.

"This is not a zero-day exploit or a compromise of DigiCert's infrastructure," clarified Dr. Torres. "It is purely a flaw in Defender's detection logic that needs immediate correction."

What This Means for Enterprises and Home Users

For organizations using Microsoft Defender for Endpoint, the false positive may have already spread via Group Policy or security dashboard alerts, prompting automated removal actions. Businesses should audit their security logs to identify any certificates that were deleted or quarantined since the update.

Home users are less likely to suffer prolonged impact because default system protections usually prevent certificate deletion without confirmation. However, anyone who clicked "Allow" on a Defender alert should restore the certificate manually.

Jump to background | Jump to technical details

Related Articles

• Trump's Threats Lose Bite: ABC Defies White House Demand to Fire Kimmel Amid Broader Shift in Corporate Resistance
• Orchestrating Multi-Agent AI Systems for Comprehensive Biological Modeling
• 10 Critical Facts About Microsoft Defender's False Positive That Flagged DigiCert Certificates as Malware
• The Site Search Struggle: Why Users Abandon Your Internal Search for Google
• How to Participate in the 2026 Rails Developer Community Survey and Shape the Future of Ruby on Rails
• Navigating the Transition: A Guide to National Roadmaps for Fossil Fuel Phase-Out
• Uber Unveils All-in-One Travel Platform, Challenges Expedia and Airbnb
• The Rise of AI-Generated Bible Content: How Christian Creators and Freelancers Are Shaping a New Digital Niche