# Microsoft Defender's False Positive Alerts Strike DigiCert Root Certificates


A widespread detection issue in Microsoft Defender is causing legitimate DigiCert root certificates to be flagged as malware, resulting in system disruptions and potentially compromising security operations across thousands of organizations worldwide. The antivirus engine is incorrectly identifying DigiCert certificates as Trojan:Win32/Cerdigent.A!dha, a detection that has prompted both Microsoft and DigiCert to issue guidance to affected users.


## The Threat


Microsoft Defender began issuing alerts that DigiCert root certificates—which are fundamental to secure web communications and are installed by default on Windows systems—are malicious. In some cases, the antivirus software has gone further, actively removing legitimate certificates from affected machines, creating a cascading security problem that interferes with normal operations rather than protecting them.


The affected detection pattern is broad, meaning numerous users and organizations have received alerts simultaneously. This coordinated false-positive event has drawn immediate attention from security teams, system administrators, and enterprise organizations that rely on DigiCert certificates for:


  • Secure web browsing and HTTPS connections
  • Email signing and verification (S/MIME certificates)
  • Code signing for software distribution
  • Enterprise authentication and encryption
  • API communications and service integrations

    • Organizations affected by certificate removal have experienced connectivity issues, authentication failures, and broken TLS/SSL connections to legitimate services.


    ## Background and Context


    ### Understanding Certificate Authorities


    DigiCert is one of the world's largest and most trusted Certificate Authorities (CAs), responsible for issuing digital certificates that enable encrypted communication across the internet. DigiCert serves enterprises, governments, and service providers with millions of active certificates in production environments.


    Root certificates operate at the foundation of the public key infrastructure (PKI). When a Certificate Authority's root certificate is installed on a Windows system, the operating system trusts all certificates issued by that CA. This trust relationship is essential—without it, users would receive warnings or connection failures for legitimate encrypted connections.


    DigiCert's certificates are ubiquitous in enterprise and consumer environments. The company issues certificates for:

  • Fortune 500 companies and government agencies
  • Payment processors and financial institutions
  • Healthcare providers and cloud infrastructure
  • Software vendors and content delivery networks

    • ### Why This Is Unusual


    Microsoft Defender false positives are not uncommon, but they rarely affect trusted root certificate authorities. Root CA certificates are typically added to Windows through:

  • Microsoft's own Windows Update process
  • Enterprise group policies and certificate repositories
  • System administrator manual installation for organizational trust

    • The fact that Microsoft's own antivirus engine is flagging a widely-trusted root CA as malware represents a significant operational failure.


    ## Technical Details


    ### The Detection and Its Impact


    The detection signature Trojan:Win32/Cerdigent.A!dha appears to be a behavioral or heuristic-based alert rather than a signature-based one (where specific malware code is matched against a known database). This suggests Microsoft's detection engine identified something in the certificate or its associated properties that matched a pattern associated with malicious activity.


    Key observations:


    | Aspect | Details |

    |--------|---------|

    | Affected Component | DigiCert root certificates installed on Windows systems |

    | Detection Name | Trojan:Win32/Cerdigent.A!dha |

    | Detection Type | Likely behavioral/heuristic analysis |

    | Impact | Alerts, certificate removal, connection failures |

    | Affected Systems | Windows systems with Defender enabled and DigiCert roots installed |


    ### Why This Constitutes a False Positive


    DigiCert's certificates are:

  • Publicly audited through annual WebTrust/CAB Forum assessments
  • Cryptographically sound using standard encryption algorithms
  • Installed through official channels (Windows Update, official repositories)
  • Trusted by all major operating systems and browsers

    • The certificates themselves contain no malicious code. They are mathematical constructs used to verify identity and establish encrypted communication. No known threat actor uses legitimate CA root certificates as a distribution mechanism for malware.


    ### Root Cause Uncertainty


    Microsoft and DigiCert have not yet publicly disclosed the exact reason for the false positive. Possibilities include:


  • Detection logic error — A rule or heuristic pattern matched legitimate certificate properties
  • Signature database contamination — A corrupted threat definition update
  • Overly aggressive behavior analysis — Flagging normal PKI operations as suspicious
  • Update regression — A recent Defender update inadvertently breaking certificate validation logic

    • ## Implications for Organizations


    ### Immediate Risks


    1. Connectivity Disruption

    Organizations with Defender set to automatically quarantine or remove detected threats may experience:

  • Broken HTTPS connections to legitimate services
  • Failed VPN authentication
  • Email delivery issues for S/MIME signed messages
  • Cloud service access problems

    • 2. Security Operations Impact

    Security teams face difficult decisions:

  • Re-establish trust in Defender's threat detection
  • Investigate alerts that may or may not be legitimate
  • Manage the operational overhead of this false positive

    • 3. Certificate Chain Validation

    With root certificates removed, downstream certificates issued by DigiCert also fail validation, creating a chain reaction of authentication failures.


    ### Affected Services


    Any service relying on DigiCert certificates is potentially impacted:

  • Web services using DigiCert TLS certificates
  • Email systems using DigiCert S/MIME certificates
  • Software distribution platforms using DigiCert code-signing certificates
  • Enterprise applications using DigiCert mutual authentication

    • ## Recommendations


    ### For System Administrators


    Immediate Actions:

    1. Verify the status — Check if your systems have received the false-positive alert

    2. Review Defender quarantine logs — Search for the Cerdigent.A detection to identify affected machines

    3. Restore certificates if removed — Manually re-import DigiCert root certificates if they were quarantined

    4. Check connectivity — Test connections to critical services using DigiCert certificates


    Configuration Changes:

  • Consider temporarily excluding DigiCert root certificates from active scans if your organization has confirmed them as legitimate
  • Update Defender exclusion lists to prevent re-quarantine until Microsoft releases a fix
  • Monitor official channels for Microsoft's corrected threat definition update

    • ### For Security Teams


    1. Document the incident — Log which systems were affected and how many alerts were generated

    2. Assess impact — Review authentication failures and connection issues occurring during the false-positive period

    3. Update detection baselines — Adjust monitoring to account for this event and prevent similar false positives from blindsiding your team

    4. Strengthen CA validation processes — Implement additional verification before trusting threat detections involving certificates from major CAs


    ### For Organizations Using DigiCert Services


  • Contact DigiCert support — Get official guidance on affected certificate versions and remediation steps
  • Verify your certificate portfolio — Understand which of your certificates are issued by DigiCert and may be affected
  • Test critical services — Ensure your applications continue to function if certificates are removed

    • ## What's Next


    Microsoft and DigiCert are actively coordinating on a fix. Users should expect:


  • A corrected threat definition update removing the false-positive detection
  • Updated guidance from both companies
  • Possible compensation or goodwill gestures for affected organizations

    • Until the fix is released, organizations should carefully balance security and availability, considering temporary Defender exclusions for DigiCert certificates while maintaining other protections.


    This incident serves as a reminder that security tools themselves require oversight and verification. False positives from trusted security vendors can sometimes pose greater operational risk than the threats they're designed to prevent.


    ---


    *For ongoing cybersecurity news and threat intelligence, follow HackWire's coverage of certificate authority incidents, antivirus reliability, and enterprise security operations.*