Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha

Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/

ONE SENTENCE SUMMARY:

Microsoft Defender falsely flagged DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, removing trust-store entries before Microsoft fixed signatures.

MAIN POINTS:

1. Defender signature update on April 30 triggered global false-positive detections, reported by Florian Roth.
2. Legitimate DigiCert root certificates were labeled Trojan:Win32/Cerdigent.A!dha, alarming administrators and users.
3. Affected Windows systems removed certificates from the AuthRoot trust store automatically.
4. Impacted registry path was HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates.
5. Reported certificate thumbprints included 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43.
6. Second flagged thumbprint was DDFB16CD4931C973A2037D3FC83A4D7D775D05E4.
7. Microsoft corrected detections in Security Intelligence update 1.449.430.0; later update 1.449.431.0 followed.
8. Reddit users indicated the fix also restored previously removed root certificates.
9. Users can force Defender updates via Windows Security “Protection updates” and “Check for Updates.”
10. Timing coincided with DigiCert’s incident where attackers obtained EV code-signing certs used for malware.

TAKEAWAYS:

1. False positives can directly disrupt Windows trust stores, potentially breaking TLS and software validation.
2. Rapid signature rollouts need robust safeguards to avoid widespread certificate trust removals.
3. Updating Defender intelligence quickly resolves misdetections and may automatically restore trust entries.
4. DigiCert’s breach involved initialization codes and approved orders, enabling issuance of maliciously used certs.
5. Defender’s flagged roots differed from revoked code-signing certificates, so linkage remains unconfirmed.