VYPR
patchPublished May 3, 2026· Updated May 17, 2026· 1 source

Microsoft Defender False Positive Flags Legitimate DigiCert Certificates as Trojan

Microsoft Defender erroneously flagged legitimate DigiCert root certificates as malware, leading to widespread system alerts and the accidental removal of certificates from the Windows trust store.

Microsoft Defender recently triggered widespread false-positive alerts, incorrectly identifying legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha. The issue began on April 30th following a Microsoft Defender signature update, which caused the antivirus software to flag and, in some instances, automatically remove specific DigiCert certificates from the Windows trust store BleepingComputer.

The affected certificates, identified by thumbprints 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4, were being purged from the HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\ registry key BleepingComputer. This disruption caused significant alarm among administrators and users, with some resorting to full operating system reinstalls under the mistaken belief that their devices had been compromised by malware.

Microsoft attributed the false positives to an over-correction following a recent security incident at DigiCert. DigiCert disclosed that threat actors had compromised a support team member's device using a malicious ZIP file disguised as a screenshot. This access allowed attackers to leverage internal support tools to procure initialization codes for a limited number of code-signing certificates, which were subsequently used to sign malicious files BleepingComputer.

In response to the breach, Microsoft Defender was updated to detect and block these compromised certificates. However, the logic used to identify the malicious activity was too broad, leading to the accidental flagging of legitimate root certificates. Microsoft has since corrected the detection logic in Security Intelligence update version 1.449.430.0 BleepingComputer.

The vendor confirmed that the updated signatures not only suppress the false alerts but also automatically restore the certificates that were previously removed from affected systems. Microsoft has advised administrators to ensure their environments are updated to version 1.449.430.0 or later and to consult the service health dashboard in the M365 admin center for further details BleepingComputer.

This incident highlights the delicate balance between rapid threat response and system stability. While the swift revocation of compromised certificates is essential for maintaining the integrity of the code-signing ecosystem, the resulting false positives underscore the risks of automated remediation in critical system components. Organizations should monitor their security dashboards for similar automated actions and verify the legitimacy of flagged certificates before taking manual corrective measures.

Synthesized by Vypr AI