Microsoft Defender False Positives Flag DigiCert Certs as Trojans

Executive Summary

Microsoft Defender for Endpoint is generating widespread false-positive detections of legitimate DigiCert root certificates, flagging them as Trojan:Win32/Cerdigent.A!dha. According to BleepingComputer, the erroneous alerts have led to automatic certificate removal on some systems, potentially disrupting HTTPS connections, code signing, and other certificate-dependent operations. Microsoft has acknowledged the issue but has not yet released a formal fix.

Technical Analysis

The false-positive detection targets DigiCert root certificates — trusted Certificate Authority (CA) certificates that are foundational to Windows' chain-of-trust model. Defender's signature-based engine is misclassifying these certificates as malware under the Trojan:Win32/Cerdigent.A!dha label. In cases where Defender's real-time protection is configured to take automatic action, the certificates may be quarantined or deleted, breaking trust chains for any applications or services relying on DigiCert-issued certificates. BleepingComputer reports that the issue appears to affect multiple Windows versions, though Microsoft has not published a specific list of impacted builds or Defender signature versions. The root cause — whether a bad signature update or a heuristic engine flaw — has not been disclosed by Microsoft as of this writing.

Mitigations & Recommendations

Affected organizations should immediately check Defender alerts for Trojan:Win32/Cerdigent.A!dha detections against DigiCert root certificates. If certificates have been removed, administrators can restore them from a known-good backup or reinstall the DigiCert root certificates from the official DigiCert repository. Microsoft recommends submitting false-positive reports through the Microsoft Defender Security Center portal (https://www.microsoft.com/en-us/wdsi/filesubmission) to expedite signature updates. Until Microsoft releases a corrected signature or engine update, organizations may consider temporarily disabling automatic remediation for certificate detections, though this carries its own risk of missing genuine threats. No ETA for a permanent fix has been provided.