By rssfeeds-admin 
Around April 30, 2026, Microsoft Defender released a security intelligence update that introduced a detection labeled Trojan:Win32/Cerdigent.A!dha.
This detection mistakenly identified two legitimate DigiCert root certificates as malicious:
- DigiCert Assured ID Root CA
- DigiCert Trusted Root G4
These certificates are critical components of the global trust infrastructure and are stored in the Windows registry under:
HKLMSOFTWAREMicrosoftSystemCertificatesAuthRootCertificates
Because of the false detection, Microsoft Defender automatically quarantined these registry entries, treating them as high-severity threats.
Impact on Enterprise Systems
The removal of these root certificates created significant operational risks. Root certificates are essential for verifying secure communications and trusted software.
Without them:
- SSL/TLS connections could fail, causing websites to appear untrusted
- Browsers might display security warnings
- Digitally signed applications could fail validation
- Enterprise services relying on HTTPS could break
Organizations using DigiCert-signed certificates or software were particularly affected, as systems could no longer verify authenticity.
Cybersecurity researcher Florian Roth was among the first to highlight the issue publicly. He shared detection queries and validation steps to help administrators assess affected systems.
text| where ActionType == "RegistryKeyCreated"
| where Timestamp > datetime(2026-05-03T04:00:00)
| project Timestamp, DeviceName, ActionType, InitiatingProcessFileName
| order by Timestamp descOne method involved using Microsoft Defender Advanced Hunting logs to check registry activity. Another quick verification step was running:
certutil -store AuthRoot | findstr -i “digicert”
This command allowed administrators to confirm whether the DigiCert certificates were still present in the system’s trust store.
Reports quickly flooded Microsoft forums, with administrators confirming that the certificate thumbprints matched official DigiCert values, proving there was no actual compromise.
Microsoft acknowledged the issue and responded by releasing corrected security intelligence updates. Version 1.430 was identified as a key update that resolved the false detection.
In many environments, the fix automatically restored the quarantined certificates. This suggests Microsoft deployed a silent remediation mechanism alongside the updated signatures.
However, in restricted or manually managed environments, administrators were advised to:
- Verify certificate restoration using certutil
- Review Microsoft Defender logs for registry changes
- Ensure systems received the latest security intelligence updates
Lessons from the Incident
This incident highlights the risks associated with automated threat detection and remediation. While such systems are designed to protect against attacks such as malware tampering with certificate stores, they can also introduce disruption when errors occur.
The false positive involving DigiCert certificates underscores the importance of rigorous testing for security updates, especially when detections involve critical system components like the Windows root trust store.
It also serves as a reminder for organizations to maintain visibility into endpoint security actions and to validate unexpected changes, even when they originate from trusted security tools.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Microsoft Defender Incorrectly Detects DigiCert Root Certificates as Malware appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.