Defender Falsely Flags DigiCert Root Certs as Malware

Microsoft Defender detects legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, triggering widespread false-positive alerts and, in some cases, removing certificates from the Windows trust store.

Cybersecurity expert Florian Roth notes the issue emerged after Microsoft added the detections in a Defender signature update on April 30. Administrators worldwide report DigiCert root certificate entries flagged as malware, with affected systems removing them from the AuthRoot store under the registry key HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\.

The flagged certificates bear hashes 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4. Concerned Windows users have reinstalled their operating systems, fearing infection.

Microsoft reportedly fixes the detections in Security Intelligence update version 1.449.430.0; the latest is now 1.449.431.0. The update also restores removed certificates and installs automatically, though users can force it via Windows Security > Virus and threat protection > Protection updates > Check for updates.

The false positives follow a recent DigiCert security incident where threat actors obtained valid code-signing certificates for malware. Attackers targeted support staff in early April with malicious ZIP files disguised as screenshots. After compromising devices, they accessed initialization codes for pending EV code-signing orders via an internal portal, leading DigiCert to revoke 60 certificates, including 27 linked to malware.