A recent Microsoft Defender update incorrectly flagged legitimate DigiCert root certificates as malware, triggering widespread alerts.
In some cases, it also removed trusted certificates from Windows systems, causing disruption.
“Earlier today we determined false positive alerts were mistakenly triggered and updated the alert logic,” Microsoft said, as reported by BleepingComputer.
Inside the DigiCert False Positive Incident
The issue began following a Microsoft Defender signature update released on Apr. 30, which introduced detections for Trojan:Win32/Cerdigent.A!dha.
Soon after, administrators reported legitimate DigiCert root certificates being flagged as malicious and removed from the Windows trust store.
On affected systems, this included deletions from the AuthRoot store, disrupting trust relationships and raising concerns about system integrity.
The unexpected alerts caused confusion among users and IT teams, as certificate-based detections are often associated with serious compromises.
As a result, some organizations treated the alerts as active infections, leading to unnecessary and disruptive actions such as full system rebuilds.
Relation to DigiCert Incident
Microsoft later clarified the detections were introduced in response to a DigiCert security incident involving compromised code-signing certificates.
DigiCert revoked 60 certificates as part of its response, including several tied to the Zhong Stealer campaign.
To quickly protect customers, Defender added the detection logic targeting potentially malicious certificates; however, the logic proved overly broad, causing legitimate DigiCert root certificates to be incorrectly flagged as threats.
Microsoft has since released a patch in the latest Defender update.
Reducing Risk from Certificate Failures
Minimize impact from certificate-related incidents by improving validation, monitoring, and response processes.
- Update Microsoft Defender to the latest version, validate certificate restoration, and test updates in staging before broad deployment.
- Verify certificate stores against a known-good baseline and maintain secure backups for fast recovery.
- Monitor endpoints and logs for unexpected certificate changes, trust store modifications, and anomalous behavior.
- Centralize certificate management using Group Policy or MDM to ensure consistency and enable quick remediation.
- Correlate alerts across multiple security tools to reduce the risk of unnecessary action for false positives.
- Test incident response plans and use attack simulation tools with scenarios around certificate compromise.
By strengthening validation, visibility, and response processes, organizations can build resilience and reduce overall risk from certificate-related incidents.
Challenge of Trust in Security
This incident highlights the growing complexity of managing trust and verification in modern environments, especially as attackers target systems like code-signing infrastructure.
It also underscores the increasing reliance on automated security controls and the need for strong visibility and validation processes to ensure accuracy and avoid unintended impact.
These realities also highlight the relevance of zero trust, which emphasizes continuous verification over implicit trust.