Merekku
Software Tools

False Positive Alert: Microsoft Defender Mistakenly Identifies DigiCert Certificates as Malware

2026-05-04 23:26:54

Introduction

In early 2025, a significant false positive event hit Windows users worldwide when Microsoft Defender began flagging legitimate DigiCert root certificates as "Trojan:Win32/Cerdigent.A!dha." This detection error caused widespread alarm, with some systems automatically quarantining or even deleting these critical certificates, leading to potential connectivity and trust issues across affected machines.

False Positive Alert: Microsoft Defender Mistakenly Identifies DigiCert Certificates as Malware
Source: www.bleepingcomputer.com

What Happened: The False Positive Detection

Microsoft Defender, the built-in antivirus solution for Windows, mistakenly identified several DigiCert root certificates as belonging to a previously unknown malware family named Trojan:Win32/Cerdigent.A!dha. Root certificates are essential components of the Public Key Infrastructure (PKI), used to authenticate secure connections (HTTPS) and verify software signatures. When Defender flagged these certificates, it treated them as threats, applying standard remediation actions such as quarantine or removal.

Detection Mechanism

The false alarm appears to have been triggered by an updated malware signature database. Microsoft Defender relies on heuristic and behavioral analysis alongside signature-based detection. In this case, a signature intended to catch a real threat inadvertently matched patterns present in DigiCert’s certificate files. The exact cause remains under investigation, but initial reports point to a pattern-matching error in the Trojan:Win32/Cerdigent.A!dha definition.

Impact on Users and Systems

The consequences of this false positive were not trivial. Users who allowed Defender to act on the alert experienced disruptions across multiple applications and services. Common issues included:

  • Broken HTTPS connections – Websites failed to load due to missing or invalid root certificates.
  • Software installation errors – Programs signed with affected certificates were blocked or flagged as untrusted.
  • System update failures – Windows Update and other update mechanisms could not verify server identities.
  • Application crashes – Some enterprise tools relying on certificate chains stopped functioning entirely.

Because root certificates are typically stored in the certificate store and managed by the operating system, their removal required administrative intervention to restore. IT administrators, in particular, faced significant operational overhead as they scrambled to remediate affected machines.

DigiCert’s Response

DigiCert, one of the world’s largest Certificate Authorities (CAs), quickly acknowledged the incident. The company issued a public statement confirming that none of its certificates were malicious and that the detection was a false positive. DigiCert advised affected users to report the misidentification to Microsoft and provided guidance on manually reimporting their certificates from trusted backups or via the Windows Certificate Manager tool (certlm.msc).

Microsoft’s Response

Microsoft responded by releasing an emergency signature update to correct the erroneous detection. The update, pushed through Windows Update, replaced the faulty definition with a refined one that no longer flagged DigiCert’s certificates. However, users who had already lost certificates had to take additional steps to restore them. Microsoft also recommended that organizations use Group Policy to push certificate restoration scripts and advised individuals to run the System File Checker (sfc /scannow) to repair any trust store corruption.

Preventing Future False Positives

This incident highlights the inherent challenge in balancing security with usability. Security software must constantly evolve to catch new threats, but aggressive detection can lead to false positives that disrupt legitimate services. To minimize risks, both users and vendors can take proactive measures:

False Positive Alert: Microsoft Defender Mistakenly Identifies DigiCert Certificates as Malware
Source: www.bleepingcomputer.com
  • Maintain certificate backups – Export root certificates from a healthy machine and store them securely.
  • Use controlled rollouts – IT administrators should test signature updates in a sandbox before deploying broadly.
  • Enable cloud-delivered protection – Microsoft Defender’s cloud-block-level timeout can quickly revert faulty detections if an error is reported.
  • Monitor security forums – Following platforms like the Microsoft Security Response Center (MSRC) blog can provide early warnings of known issues.

Step-by-Step Resolution Guide for Affected Users

If you suspect your system was affected by this false positive, here are the recommended steps to restore full functionality:

  1. Update Microsoft Defender definitions – Open Windows Security > Virus & threat protection > Check for updates. Ensure you have the latest signature version from Microsoft.
  2. Restore quarantined certificates – Go to Protection history, locate the false positive item (Trojan:Win32/Cerdigent.A!dha), and select Restore. Then add the certificate to the exclusions list to prevent re-detection.
  3. Reimport missing certificates – If certificates were deleted, open Certificates – Local Machine (certlm.msc). Navigate to Trusted Root Certification Authorities > Certificates. Right-click, choose All Tasks > Import, and browse to a trusted .cer or .crt file from your backup or from DigiCert’s official download page.
  4. Clear the Windows trust store cache – Run certutil -urlcache * delete in Command Prompt (Admin) to refresh the certificate validation cache.
  5. Reboot and verify – Restart your computer and test browsing to HTTPS websites like DigiCert’s own site to confirm trust is restored.

Conclusion

The false positive detection of DigiCert root certificates by Microsoft Defender underscores the delicate nature of automated threat detection. While the issue was quickly acknowledged and a fix was issued, the incident served as a stark reminder for both security vendors and users to have fallback plans in place. For now, most Windows machines should be operating normally, but administrators should remain vigilant and ensure that critical certificates are backed up regularly. The collaboration between Microsoft and DigiCert resolved the immediate crisis, but the event will likely prompt improvements in how signature updates are validated before broad release.

More Stories

Crafting Design Principles: A Step-by-Step Guide to Aligning Teams and Decisions How Filmmakers Are Using AI to Streamline Pre-Production (Without Losing Creative Control) Top 10 Facts About the May MacBook Pro Deals: M5 Pro and M5 Max at Record Low Prices Bringing AI-Powered Observability to Every Grafana Environment: Grafana Assistant Expands to Self-Managed Deployments AWS Weekly Roundup: Claude Opus 4.7 and AWS Interconnect Go Live Building Trust in AI: A Practical Guide to Model Provenance with Cisco’s Open Source Toolkit Record-Breaking MacBook Pro Discounts: M5 Pro and M5 Max Models Now Available from $1,949 10 Ways AI is Shaping the Future of Accessibility

Explore

From Side Ventures to Global Strategy: Amani Samba’s Entrepreneurial Transformation 10 Key Insights Into xAI's Grok 4.3 Launch and New Voice Cloning Suite 8 Ways SUSE is Building the Open Infrastructure Layer for the AI Era Safeguarding Identities in the Age of AI Agents: A Q&A with Nancy Wang Python 3.15 Alpha 1 Unveiled: New Profiling, UTF-8 Default, and Enhanced Error Messages