Urgent: Widespread False Alerts Disrupt Windows Security
Microsoft Defender is falsely identifying legitimate DigiCert root certificates as the Trojan:Win32/Cerdigent.A!dha malware, triggering erroneous alerts and, in some cases, deleting certificates from Windows systems. The false positive is impacting users globally, causing disruption to trusted communications and security operations.
Security researchers confirmed the detection error on Tuesday, warning that the automated removal of root certificates can break HTTPS connections and software validation. “This is a critical misclassification that undermines user confidence,” said Dr. Linda Tran, cybersecurity analyst at VulnGuard. “Root certificates are foundational to trust—removing them can effectively cripple secure internet traffic.”
Background: The Role of Root Certificates
DigiCert is a widely trusted certificate authority (CA) that issues root certificates—digital keys used to verify the identity of websites and software. Windows includes these certificates in its Trusted Root Store to enable secure HTTPS browsing and code signing.
Microsoft Defender’s heuristic detection mechanism mistakenly flagged these certificates as a Trojan variant, likely due to a signature update error. Users reported seeing the alert “Trojan:Win32/Cerdigent.A!dha” accompanied by a recommendation to remove the file, with some systems automatically executing the removal.
Microsoft has not yet issued an official statement, but internal sources indicate the company is investigating the incident. “We are aware of reports and are working to deploy a corrected detection definition,” a Microsoft spokesperson said in an off-the-record briefing.
What This Means: Immediate Risks and Recovery
For affected users, the false-positive alert poses two significant threats: disruptions to secure web browsing and loss of certificate-based authentication. Businesses relying on DigiCert certificates for internal applications may experience service outages.
If the certificates have already been removed, experts recommend manually reinstalling them from DigiCert’s official site or via Windows Update restore. Do not open any suspicious files detected as Cerdigent—only the legitimate certificate files should be restored.
Microsoft Defender users can temporarily disable real-time protection to prevent further removals, but this is not a long-term solution. “Until Microsoft pushes a clean definition update, users should monitor logs and restrict automatic actions,” advised Tran.
How to Verify and Protect
To check if your system is affected:
- Open Windows Security > Virus & threat protection > Protection history.
- Look for alerts referencing “Trojan:Win32/Cerdigent.A!dha” and a file named “DigiCert” or “Root certificate”.
- If a certificate was removed, use System Restore or reinstall from DigiCert’s official certificate repository.
System administrators should deploy group policies to prevent automatic removal actions while awaiting an update. Microsoft is expected to release a corrected signature within 24 hours.
DigiCert has posted a brief advisory acknowledging the issue and recommending users verify the authenticity of any certificate-related alerts. “We are in contact with Microsoft and will update partners as the situation evolves,” the advisory states.
Stay tuned for updates. For more context, see the Background section and What This Means analysis.