An update to Microsoft Defender has turned trusted certificates into a security issue.
The false positive, related to Trojan:Win32/Cerdigent.A!dha detection, caused Defender to flag legitimate DigiCert root certificates as malicious after an April 30 signature update. In some cases, administrators have reported that trusted certificates have been removed from Windows systems, disrupting trust relationships and forcing IT teams to determine whether this was a true compromise or interrupted detection.
“Earlier today, we determined that false positive alerts had been triggered in error and updated the alert logic,” Microsoft said, as reported by BleepingComputer.
This incident is a reminder that automated defenses can create their own radius of action when certificate trust, malware detection, and rapid response collide.
Inside the DigiCert False Positive Incident
The issue began following a Microsoft Defender signature update released on April 30, which introduced detections of Trojan:Win32/Cerdigent.A!dha.
Shortly after, administrators reported that legitimate DigiCert root certificates were being flagged as malicious and removed from the Windows trust store. On affected systems, this included deletions of the AuthRoot store, which disrupted trust relationships and raised concerns about system integrity.
The unexpected alerts have caused confusion among users and IT teams because certificate-based detections are often associated with serious compromises. As a result, some organizations treated alerts as active infections, leading to unnecessary and disruptive actions such as completely rebuilding the system.
Relationship to the DigiCert Incident
Microsoft later clarified that the detections were introduced in response to a DigiCert security incident involving compromised code signing certificates.
DigiCert revoked 60 certificates as part of its response, including several linked to the Zhong Stealer campaign.
To quickly protect clients, Defender added detection logic targeting potentially malicious certificates. However, this measure proved to be too broad, causing legitimate DigiCert root certificates to be falsely flagged as threats.
Microsoft has since released a fix in the latest Defender update.
Reduce the Risk of Certificate Failures
Minimize the impact of certificate incidents by improving validation, monitoring, and response processes.
- Update Microsoft Defender to the latest version: Validate certificate restoration and test updates in preparation before large-scale deployment.
- Check certificate stores against a recognized benchmark: Maintain secure backups for rapid recovery.
- Monitor endpoints and logs for unexpected certificate changes: Trust store changes and abnormal behavior.
- Centralize certificate management using Group Policy or MDM: Ensure consistency and enable rapid remediation.
- Correlate alerts across multiple security tools: Reduce the risk of unnecessary actions in the event of false positives.
- Test incident response plans: Use attack simulation tools with scenarios involving certificate compromise.
This incident highlights the increasing complexity of managing trust and verification in modern environments, especially as attackers target systems such as code signing infrastructure.
It also highlights the growing reliance on automated security controls and the need for robust visibility and validation processes to ensure accuracy and prevent unintended impacts.
Editor’s Note: This article was originally published on our sister publication, eSecurityPlanet.
For more details, visit the full article here.
