Microsoft Defender DigiCert False Positive: Trojan:Win32/Cerdigent.A!dha

Microsoft Defender recently began flagging legitimate DigiCert root certificates as a malicious threat, specifically identifying them as Trojan:Win32/Cerdigent.A!dha. This incident, according to BleepingComputer, has resulted in widespread false-positive alerts across Windows environments and, in many cases, led to the automated removal or quarantine of critical certificates. When a root certificate is removed from the system’s Trusted Root Certification Authorities store, the chain of trust for numerous applications and services is broken, leading to TLS/SSL handshake failures and application crashes.

Technical Analysis and Microsoft Defender DigiCert Certificate Removal Fix

The detection nomenclature used by Microsoft, specifically the !dha suffix, typically indicates a detection based on cloud-delivered heuristics or behavioral analysis rather than a traditional static signature. This suggests that a change in Microsoft’s cloud-based scanning logic incorrectly associated the metadata or thumbprints of DigiCert root certificates with known IoC patterns for the Cerdigent malware family. For SOC analysts, this creates a significant burden as they must differentiate between a legitimate security breach and a systemic failure of their primary EDR solution.

The removal of these certificates is particularly disruptive because it prevents Windows from verifying the identity of software publishers and secure websites. This can lead to a cascade of errors where security software itself may fail to update, or internal enterprise applications stop functioning because they can no longer establish secure connections. To address this, administrators must implement a Microsoft Defender DigiCert certificate removal fix by first ensuring that security intelligence definitions are updated to a version where Microsoft has suppressed the false detection. If the certificate has already been removed, it may need to be manually re-imported via Group Policy or local administrative tools to restore the environment to a functional state.

Operational Impact on Enterprise Infrastructure

False positives of this magnitude can lead to alert fatigue within a SIEM or security platform, as the sheer volume of detections for a common root certificate can overwhelm automated response playbooks. Furthermore, the incident highlights the risks of automated remediation in modern security stacks. While rapid response is essential for mitigating a legitimate Supply Chain Attack, automated actions taken on trusted system components like root certificates can cause more downtime than the threats they are designed to stop. Organizations practicing Zero Trust architecture are also affected, as the underlying trust in the identity of the device and its certificates is temporarily invalidated.

Detection and Mitigation Guidance

Security teams should monitor their consoles for any alerts matching the Trojan:Win32/Cerdigent.A!dha signature. When investigating, it is vital to know how to detect Trojan:Win32/Cerdigent.A!dha false positive signals versus genuine malware. A key indicator is the file path: if the detection points to a certificate file or a process interacting with the Windows Certificate Store (certutil.exe or system processes), it is likely the false positive in question. In contrast, typical Phishing or malware campaigns would target user directories or temporary folders.

To remediate the issue:

• Trigger a manual update of Microsoft Defender signatures using the command line: MpCmdRun.exe -SignatureUpdate.
• Verify the presence of DigiCert Global Root G2 or other affected certificates in the Cert:\LocalMachine\Root store.
• Audit SOC logs for any automated quarantine actions that may have removed valid binaries or configuration files associated with these certificates.
• Communicate with end-users and helpdesk staff to explain that ‘untrusted certificate’ errors are currently being addressed as part of a global security software update.