A Microsoft Defender update turned trusted certificates into security scares.
The false positive, tied to detections for Trojan:Win32/Cerdigent.A!dha, caused Defender to flag legitimate DigiCert root certificates as malicious after an April 30 signature update. In some cases, administrators reported that trusted certificates were removed from Windows systems, disrupting trust relationships and forcing IT teams to sort out whether they were seeing a real compromise or a broken detection.
āEarlier today, we determined false positive alerts were mistakenly triggered and updated the alert logic,ā Microsoft said, as reported by BleepingComputer.
The incident is a reminder that automated defenses can create their own blast radius when certificate trust, malware detection, and rapid response collide.
Inside the DigiCert false positive incident
The issue began following a Microsoft Defender signature update released on Apr. 30, which introduced detections for Trojan:Win32/Cerdigent.A!dha.
Soon after, administrators reported legitimate DigiCert root certificates being flagged as malicious and removed from the Windows trust store. On affected systems, this included deletions from the AuthRoot store, which disrupted trust relationships and raised concerns about system integrity.
The unexpected alerts caused confusion among users and IT teams, as certificate-based detections are often associated with serious compromises. As a result, some organizations treated the alerts as active infections, leading to unnecessary and disruptive actions such as full system rebuilds.
Relation to DigiCert incident
Microsoft later clarified the detections were introduced in response to a DigiCert security incident involving compromised code-signing certificates.
DigiCert revoked 60 certificates as part of its response, including several tied to the Zhong Stealer campaign.
To quickly protect customers, Defender added detection logic targeting potentially malicious certificates. However, it proved overly broad, causing legitimate DigiCert root certificates to be incorrectly flagged as threats.
Microsoft has since released a patch in the latest Defender update.
Must-read security coverage
Reducing risk from certificate failures
Minimize impact from certificate-related incidents by improving validation, monitoring, and response processes.
- Update Microsoft Defender to the latest version, validate certificate restoration, and test updates in staging before broad deployment.
- Verify certificate stores against a known-good baseline and maintain secure backups for fast recovery.
- Monitor endpoints and logs for unexpected certificate changes, trust store modifications, and anomalous behavior.
- Centralize certificate management using Group Policy or MDM to ensure consistency and enable quick remediation.
- Correlate alerts across multiple security tools to reduce the risk of unnecessary action for false positives.
- Test incident response plans and use attack-simulation tools with scenarios involving certificate compromise.
This incident highlights the growing complexity of managing trust and verification in modern environments, especially as attackers target systems like code-signing infrastructure.
It also underscores the increasing reliance on automated security controls and the need for robust visibility and validation processes to ensure accuracy and prevent unintended impacts.
Editorās note: This article originally appeared on our sister publication, eSecurityPlanet.
Read the full article here
