Microsoft Defender Triggering False Positives on DigiCert Root Certificates
A significant false-positive incident is affecting Microsoft Defender installations worldwide, with the antivirus engine incorrectly identifying legitimate DigiCert root certificates as malware. Affected systems are generating alerts under the detection name Trojan:Win32/Cerdigent.A!dha — and in some cases, Defender is actively removing the certificates from Windows certificate stores.
The erroneous detections are causing disruption across enterprise environments, as DigiCert is one of the world's largest and most trusted certificate authorities, with root certificates pre-installed in virtually every Windows system.
What Is Being Flagged?
| Detection Name | Actual File | Actual Risk |
|---|---|---|
Trojan:Win32/Cerdigent.A!dha | DigiCert root CA certificates | None — legitimate certificates |
DigiCert root certificates are foundational to TLS/SSL trust on Windows. They are used to verify the authenticity of thousands of websites, VPNs, code-signing authorities, and enterprise applications. Incorrectly flagging or removing these certificates can break HTTPS connections, prevent software updates, cause code-signing validation failures, and disrupt enterprise authentication workflows.
Observed Impact
Reports from affected organizations and IT administrators indicate:
- Widespread Defender alerts firing on certificate files that have been trusted for years
- Quarantine actions in some deployments removing DigiCert root certificates from the Windows certificate store
- TLS connection failures on systems where Defender quarantined the certificates
- Code-signing verification errors for software signed with DigiCert-issued certificates
- Enterprise VPN disruptions where Defender removed CA certificates relied upon by corporate authentication systems
The severity of impact scales with how aggressively Defender is configured — endpoints set to auto-remediate detections without prompting are at higher risk of having certificates removed automatically.
Root Cause
The false-positive appears to stem from a faulty antivirus signature update pushed to Microsoft Defender's threat intelligence engine. The detection rule Trojan:Win32/Cerdigent.A!dha appears to have been crafted or updated in a way that matches byte patterns present in legitimate DigiCert certificate files, rather than actual malware.
This type of incident is not unprecedented in the antivirus industry. Past notable false-positive events include:
- CrowdStrike's 2024 global outage caused by a faulty content configuration update
- McAfee's 2010 false positive that caused widespread Windows XP system crashes
- Symantec's 2012 false positive that quarantined critical Google Chrome components
Immediate Workarounds
While Microsoft works on a signature update fix, affected administrators can take the following steps:
Check If Certificates Were Quarantined
# List quarantined items in Windows Defender
Get-MpThreat | Where-Object {$_.ThreatName -like "*Cerdigent*"}
# Check Windows certificate store for DigiCert roots
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Issuer -like "*DigiCert*"}Restore Quarantined Items
If legitimate DigiCert certificates were quarantined, restore them:
# Restore quarantined items via PowerShell (requires elevation)
$threats = Get-MpThreatDetection
# Review and restore items via Windows Security > Protection History
# Alternative: Re-import DigiCert roots from a trusted source
certutil -addstore Root DigiCertGlobalRootCA.crtAdd Certificate Path Exclusion (Temporary)
# Temporarily exclude the Windows certificate store directory
Add-MpPreference -ExclusionPath "C:\Windows\System32\CatRoot"
# Note: Remove this exclusion once Microsoft releases the corrected signatureVerify Certificate Chain Integrity
After any certificate-related incident, verify that your certificate chains remain intact:
# Test HTTPS connections to DigiCert-secured endpoints
Test-NetConnection -ComputerName digicert.com -Port 443
# Verify certificate validation
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
Invoke-WebRequest https://www.digicert.com -UseBasicParsing | Select-Object StatusCodeMicrosoft's Response
Microsoft is aware of the issue and is expected to push a corrected signature definition update through Windows Update and Defender's automatic update mechanism. Organizations are advised to:
- Monitor Microsoft Security Intelligence release notes for a corrected definition
- Hold off on deploying the flagged Defender update in staging environments if your organization uses controlled signature rollouts
- Whitelist the specific DigiCert certificate thumbprints in Defender policy as a temporary measure for critical systems
Broader PKI and Certificate Security Context
This incident highlights the critical role that certificate authority infrastructure plays in modern security and the cascading failures that can result from disrupting trust chains. For security teams:
- Certificate monitoring should be part of any mature security operations practice
- Certificate inventory tools (e.g., Venafi, DigiCert Certificate Manager) can detect unexpected removals
- PKI health dashboards should alert on certificate store changes across the fleet
- Defender signature staging — testing new definitions before fleet-wide deployment — can catch false positives before they reach production
The incident also serves as a reminder that antivirus and EDR tools, while essential, are not infallible and require operational discipline around update management and false-positive handling procedures.