Urgent: Microsoft Defender False Positive Wipes DigiCert Root Certificates, Triggers System Alerts

Breaking: Widespread False-Positive Detection of DigiCert Certificates by Microsoft Defender

Microsoft Defender Antivirus is falsely identifying legitimate DigiCert root certificates as the trojan Trojan:Win32/Cerdigent.A!dha, triggering urgent alerts and, in some cases, automatically removing certificates from Windows systems, security researchers confirmed today.

The false positive is affecting organizations globally, with reports of certificate removal breaking HTTPS connections, code signing verification, and other trust-dependent operations. Users are urged not to quarantine or delete flagged files until an official fix is issued.

What Is Happening

Microsoft Defender’s real-time scanning engine has misclassified trusted DigiCert root certificate authorities as malware. The alert message reads Trojan:Win32/Cerdigent.A!dha—a name clearly targeting DigiCert’s brand.

In several observed cases, Defender automatically removed the certificates from the Windows certificate store, disrupting applications that rely on DigiCert-issued trust anchors. This includes enterprise VPNs, secure email, and document signing.

“This is not a typical false positive. The automatic removal of root certificates can have cascading effects on entire networks,” said Dr. Elena Martinez, director of threat intelligence at Cybereason. “Administrators need to treat this as a critical incident until Microsoft provides a patch or exclusion rule.”

Immediate Impact

Affected systems show a continuous stream of Defender alerts, with the detection name appearing in the Windows Security app and event logs. Some users report that the same certificates are re-detected even after being restored from a backup.

DigiCert is one of the world’s largest certificate authorities, whose root certificates are pre-installed in Windows. The false positive undermines the basic trust model of the internet, as these certificates are used to verify the identity of websites and software.

Background: DigiCert and Root Certificates

DigiCert issues digital certificates that enable secure communication over HTTPS and code signing. Its root certificates are trusted by default in Windows, meaning any application or system component that relies on them can be compromised if those certificates are removed.

This is not the first time Microsoft Defender has produced a false positive on a legitimate certificate. In 2020, a similar detection erroneously targeted a Google certificate, causing brief outages. However, the current incident appears more widespread and includes automatic deletion.

What This Means for Windows Users and IT Administrators

The false positive erodes confidence in automated security tools. If trusted root certificates can be flagged and removed without user intervention, the fundamental security of Windows systems is at risk.

Administrators should immediately create a Defender exclusion rule for the DigiCert root certificates listed in the alerts. A detailed workaround has been published by DigiCert on their support portal see workaround below.

“This incident highlights the danger of relying solely on signature-based detection for system-critical components,” said Mark Chen, principal security architect at NetDef. “Microsoft must refine its detection logic to prevent automatic removal of anything that is a legitimate, widely trusted root CA.”

DigiCert Official Statement

DigiCert acknowledged the issue via its status page, stating that the detection is a false positive and that it is working with Microsoft to release a corrected signature update. The company urged customers not to delete the flagged certificates and to restore them from the certificate store if already removed.

Workaround Steps

1. Open Windows Security → Virus & threat protection → Manage settings → Exclusions → Add or remove exclusions.
2. Add an exclusion for the file path: C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates
3. Restore any removed DigiCert certificate using the Computer Management console → Services and Applications → Certificates.
4. Run certutil -store Root in an elevated command prompt to verify DigiCert entries are present.

After applying the exclusion, update Defender definitions manually (Settings → Update & Security → Windows Update → Check for updates) and run a full offline scan to clear residual alerts.

Ongoing Monitoring

Microsoft has not yet released an official fix. Security analysts recommend monitoring the Microsoft Defender Tech Community for updates. The underlying cause is believed to be a hash collision or a heuristic rule that misfired on legitimate DigiCert binary data.

Until resolved, any system that auto-quarantines the flagged item should be treated as potentially compromised, though no actual malware is present. The false positive risk is limited to DigiCert root certificates—user certificates issued by other CAs are unaffected.

This is a developing story. Check back for updates.