Microsoft Defender False Positive Flags DigiCert Root Certificates

May 4, 2026 Faeem BLOGS, MICROSOFT 0

Overview A faulty Microsoft Defender antimalware signature update released around April 30, 2026, mistakenly flagged two legitimate DigiCert root certificates as malware. The detection, labeled Trojan:Win32/Cerdigent.A!dha, quarantined critical registry entries, disrupting SSL/TLS validation and code‑signing operations across enterprise environments.

What Happened

  • Certificates Affected:
    • DigiCert Assured ID Root CA (thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43)
    • DigiCert Trusted Root G4 (thumbprint: DDFB16CD4931C973A2037D3FC83A4D7D775D05E4)
  • Location: Windows trust store (HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates).
  • Impact: Defender quarantined the entries, removing them from the trust store.
  • Risk: SSL/TLS connections failed, browsers displayed warnings, and code‑signing verification broke for legitimate software.

Downstream Risks

  • Enterprise Disruption: HTTPS endpoints and DigiCert‑signed software were especially exposed.
  • Operational Harm: Automated remediation caused cascading failures across networks.
  • Community Response: Researcher Florian Roth (@cyb3rops) flagged the issue, sharing hunting queries and certutil checks to verify certificate presence.

Microsoft’s Response

  • Acknowledgment: Microsoft confirmed the false positive.
  • Fix: Corrective definition updates (version .430) began restoring quarantined certificates.
  • Silent Remediation: Restoration appeared automatic across managed endpoints.
  • Admin Guidance:
    • Run certutil -store AuthRoot | findstr -i "digicert" to verify.
    • Use Advanced Hunting queries in Defender for Endpoint to confirm restoration.

Final Thought

This incident highlights the double‑edged nature of automated threat remediation. While quarantining certificate‑store entries is a valid defense against malware tampering, false positives at this level can cripple enterprise infrastructure. The lesson is clear: signature quality control must be rigorous, especially when detections target foundational components like root certificate trust stores.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.