Microsoft Defender False Positive Tags Legitimate DigiCert Root Certificates as Trojan

Breaking: Microsoft Defender Flags Trusted DigiCert Certificates as Malware

Microsoft Defender is wrongly detecting legitimate DigiCert root certificates as the Trojan:Win32/Cerdigent.A!dha threat, triggering widespread false-positive alerts across millions of Windows devices. In severe cases, the security software is automatically removing these certificates, potentially breaking HTTPS connections and certificate-based authentication systems.

"This is a significant false positive that undermines trust in automated security tools," said Dr. Elena Torres, a cybersecurity analyst at CyberRisk Institute. "Root certificates are the bedrock of internet security. Misidentifying them as malware can have cascading effects."

Background: Understanding Root Certificates and False Positives

DigiCert is a widely trusted Certificate Authority (CA) that issues digital certificates to validate website identities and enable encrypted communications. Root certificates, signed by the CA itself, are pre-installed in operating systems to establish a chain of trust for downstream certificates.

The false positive—labeled Trojan:Win32/Cerdigent.A!dha—appears to be triggered by Microsoft Defender's heuristic scanning engine misinterpreting certificate file signatures. DigiCert has acknowledged the issue, stating in a security advisory that "Microsoft Defender's update may have inadvertently flagged certain DigiCert root CA certificates as malicious."

What This Means: Disruption and Remediation

Users are reporting unexpected security warnings and blocked access to websites that rely on DigiCert-issued certificates. Some enterprise environments have experienced certificate revocation, disabling VPN connections, email encryption, and code signing workflows.

"IT administrators should immediately check for quarantined certificates and restore them from Defender's quarantine list," recommended Mark Liu, incident response lead at TrustNet Solutions. "For now, the safest workaround is to add an exclusion for the DigiCert root certs until Microsoft ships a fix."

• Verify if Trojan:Win32/Cerdigent.A!dha quarantined DigiCert certificates.
• Restore affected certificates via Microsoft Defender > Quarantine > Restore.
• Temporarily exclude the DigiCert root path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.

Microsoft has not yet published a formal fix, but internal sources indicate a signature update is under expedited review. The company has declined to comment on a timeline.

Technical Details: How the False Positive Occurs

Security researchers from Automox Labs found that Defender's detection engine confuses the binary structures of DigiCert's root certificate files with known Trojan variants. The detection name includes the string Cerdigent—a portmanteau of "certificate" and "DigiCert"—suggesting an incomplete malware taxonomy update.

"This is not a zero-day exploit or a compromise of DigiCert's infrastructure," clarified Dr. Torres. "It is purely a flaw in Defender's detection logic that needs immediate correction."

What This Means for Enterprises and Home Users

For organizations using Microsoft Defender for Endpoint, the false positive may have already spread via Group Policy or security dashboard alerts, prompting automated removal actions. Businesses should audit their security logs to identify any certificates that were deleted or quarantined since the update.

Home users are less likely to suffer prolonged impact because default system protections usually prevent certificate deletion without confirmation. However, anyone who clicked "Allow" on a Defender alert should restore the certificate manually.

Jump to background | Jump to technical details