A recent security update from Microsoft Defender led to widespread false positives by mistakenly identifying two DigiCert root certificates as malware. This error, which emerged following a signature update around April 30, 2026, has the potential to disrupt essential SSL/TLS and code-signing processes across various global enterprises.
Details of the Detection Error
The erroneous detection was labeled as Trojan:Win32/Cerdigent.A!dha and impacted registry entries associated with DigiCert Assured ID Root CA and DigiCert Trusted Root G4. These certificates, crucial for online security, are located in the Windows trust store under the registry path HKLMSOFTWAREMicrosoftSystemCertificatesAuthRootCertificates.
On systems affected by this update, Microsoft Defender’s automatic quarantine of these certificates led to their removal from the trust store. Consequently, this posed significant risks, including the inability of systems to validate SSL/TLS connections and verify code-signing for legitimate applications.
Impact on Enterprises and Response
The misidentification issue significantly affected organizations dependent on DigiCert-signed software or secure HTTPS connections. Cybersecurity expert Florian Roth quickly raised awareness about the problem, urging the cybersecurity community to investigate and offering solutions to check for restoration of the certificates.
Roth provided an Advanced Hunting query and a command-line method using certutil to assist administrators in verifying their systems. Meanwhile, Microsoft acknowledged the problem and issued corrective updates, notably version .430, which began restoring the quarantined certificates.
Lessons and Future Outlook
Microsoft’s prompt response involved deploying a silent remediation alongside the corrected signature update to ensure quick resolution. Administrators in environments with strict update policies were advised to manually confirm the presence of the certificates.
This incident underscores the complexities and potential pitfalls of automated threat remediation. While such systems are essential for combating cyber threats, they must be carefully managed to prevent unintended consequences.
The Cerdigent false positive highlights the need for stringent quality control in deploying signature updates, especially for critical components like the root certificate trust store. As cybersecurity threats evolve, maintaining accuracy and reliability in security software remains imperative.
Stay informed with our latest cybersecurity updates by following us on Google News, LinkedIn, and X. Reach out to share your cybersecurity stories with us.
