Microsoft Defender False Positive: Cerdigent Trojan
Microsoft Defender False Positive: Cerdigent Trojan Alert and DigiCert Certificate Incident Analysis
Executive Summary
Microsoft Defender triggered widespread false positive alerts on May 1-2, 2026, incorrectly flagging legitimate DigiCert root certificates as malicious “Trojan:Win32/Cerdigent.A!dha” threats. The false positives affected enterprise environments worldwide, causing concern among system administrators and end users. This analysis examines the technical details, impact, and mitigation strategies for this significant security incident that highlights the delicate balance between proactive threat detection and operational stability.
Incident Overview
On May 1, 2026, Microsoft Defender users worldwide began receiving alerts for “Trojan:Win32/Cerdigent.A!dha” detections targeting two legitimate DigiCert root certificates. The affected certificates were DigiCert Assured ID Root CA (thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43) and DigiCert Trusted Root G4 (thumbprint: DDFB16CD4931C973A2037D3FC83A4D7D775D05E4).
According to Microsoft’s official statement, the issue stemmed from a faulty security intelligence update released around April 30, 2026. “Following reports of compromised certificates Microsoft Defender immediately added detections for malware in our Defender Antivirus Software to help keep customers protected. Earlier today we determined false positive alerts were mistakenly triggered and updated the alert logic,” Microsoft confirmed to security researchers.
Technical Analysis of the False Positive
Certificate Trust Store Architecture
The Windows Certificate Trust Store is a critical system component that manages trusted root and intermediate certificate authorities. The affected certificates reside in the registry path HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates, where Windows performs SSL/TLS validation and code-signing verification.
When Microsoft Defender flagged these certificates as malicious, it automatically quarantined them from the Windows trust store. This action created significant operational risks, as the removal of trusted root certificates could:
- Disrupt SSL/TLS connections for secure websites
- Break code-signing verification for legitimate software
- Cause browser warnings and application failures
- Impact enterprise networks relying on DigiCert-signed software
Signature Update Analysis
The false positive was introduced in Microsoft Security Intelligence update version 1.449.430.0, which added detections targeting the specific certificate thumbprints. Microsoft confirmed the issue in Security Intelligence update version 1.449.431.0, which included corrected signature logic and automatic restoration of quarantined certificates.
Cybersecurity researcher Florian Roth (@cyb3rops) was among the first to identify and amplify the issue. He provided an Advanced Hunting query for administrators to verify certificate restoration:
text| where ActionType == "RegistryKeyCreated" | where Timestamp > datetime(2026-05-03T04:00:00) | project Timestamp, DeviceName, ActionType, InitiatingProcessFileName | order by Timestamp desc
Connection to the DigiCert Security Incident
DigiCert Breach Background
The Microsoft Defender false positives are directly related to a security incident at DigiCert that occurred in early April 2026. On April 2, a threat actor targeted DigiCert’s support team through customer chat channels, delivering malicious ZIP files disguised as customer screenshots.
After multiple failed attempts, one support analyst’s machine (ENDPOINT1) was compromised on April 3. Despite initial containment, a second machine (ENDPOINT2) was compromised on April 4 due to a CrowdStrike sensor gap that went undetected for 11 days.
Threat Actor Tactics and Techniques
Once inside DigiCert’s network, the threat actor exploited the compromised analyst endpoints to access DigiCert’s internal support portal. The actor used a legitimate support function that allows analysts to access customer accounts from the customer’s perspective.
Through this access, the threat actor obtained initialization codes for pending EV Code Signing certificate orders. With these codes and approved orders, the threat actor was able to obtain legitimate certificates that were subsequently used to sign malware, including the “Zhong Stealer” campaign targeting major companies like Lenovo, Kingston, Shuttle Inc, and Palit Microsystems.
DigiCert’s Response and Remediation
DigiCert’s incident response was swift and comprehensive:
- Revoked 60 code-signing certificates within 24 hours of discovery
- Set revocation dates to certificate issuance dates
- Cancelled pending orders within the affected timeframe
- Implemented enhanced security controls for support portal access
Of the revoked certificates, 27 were explicitly linked to the threat actor (11 identified by community reports, 16 during DigiCert’s investigation). The remaining 33 were revoked as a precautionary measure.
Operational Impact Analysis
Enterprise System Implications
The Microsoft Defender false positives created significant operational challenges for organizations worldwide. The automatic removal of root certificates from the Windows trust store affected multiple system components:
| System Component | Potential Impact | Severity |
|---|---|---|
| Web Browsers | SSL/TLS connection failures, security warnings | High |
| Enterprise Applications | Code-signing verification failures | Medium |
| Cloud Services | Certificate validation errors, authentication issues | High |
| IoT Devices | Firmware update failures, connectivity issues | Medium |
User Experience Impact
For individual users, the false positives created confusion and concern. Many users reported:
- Seeing “Trojan:Win32/Cerdigent.A!dha” alerts in quick scans but not full scans
- Certificate entries being automatically removed from their systems
- Inconsistent results across different security tools
- Uncertainty about whether their systems were actually compromised
Reddit discussions showed widespread panic, with some users considering complete operating system reinstallation to resolve the issue.
Technical Timeline of Events
Incident Chronology
| Date | Event | Impact |
|---|---|---|
| April 30, 2026 | Microsoft releases Security Intelligence update 1.449.430.0 with Cerdigent detections | Initial introduction of false positives |
| May 1, 2026 (Morning) | Users worldwide begin receiving false positive alerts | Global awareness of the issue |
| May 1, 2026 (Afternoon) | Microsoft Defender automatically quarantines certificates from systems | Certificate trust store impact |
| May 2, 2026 (Morning) | Microsoft releases Security Intelligence update 1.449.431.0 with fixes | Beginning of resolution phase |
| May 2, 2026 (Afternoon) | Automatic certificate restoration begins on affected systems | Resolution underway |
| May 3, 2026 | Microsoft confirms false positive issue in official statement | Complete resolution confirmed |
Detection and Mitigation Strategies
Current Detection Status
The Microsoft Defender false positive issue has been resolved with the release of Security Intelligence update 1.449.431.0. The update includes corrected signature logic and automatic restoration of quarantined certificates on affected systems.
For organizations with restricted update policies, Microsoft recommends the following verification steps:
certutil -store AuthRoot | findstr -i "digicert"
Immediate Response Checklist
For Affected Organizations:
- Verify Current Defender Version: Ensure systems are running Security Intelligence update 1.449.431.0 or later
- Check Certificate Status: Use certutil to verify DigiCert certificates are present in the trust store
- Review Advanced Hunting Logs: Check Microsoft Defender for Endpoint logs for certificate restoration events
- Monitor for Residual Issues
- Document Impact and Response: Keep records of affected systems and resolution actions
For System Administrators:
- Prioritize Critical Systems: Focus on servers and systems handling critical services first
- Coordinate with Security Teams: Work alongside incident response teams to ensure comprehensive coverage
- Communicate with Stakeholders: Keep users informed about the resolution status
- Review Detection Rules: Assess if any custom rules need adjustment based on this incident
Preventive Measures
To prevent similar incidents in the future, organizations should implement the following measures:
- Enhanced Testing: Implement staged rollout of signature updates to a limited user group before full deployment
- Monitoring Deploy enhanced monitoring for certificate trust store changes
- Response Playbooks: Develop specific response procedures for certificate-related incidents
- User Training: Educate users about legitimate security alerts and false positive indicators
Security Best Practices for Certificate Management
Certificate Lifecycle Management
This incident highlights the importance of robust certificate lifecycle management. Organizations should implement:
- Automated Certificate Discovery: Regularly inventory all certificates in the trust store
- Expiry Monitoring: Track certificate expiration dates and plan for renewal
- Change Detection Implement monitoring for unexpected certificate changes
- Backup and Recovery: Maintain regular backups of certificate stores
Defense-in-Depth Strategies
To enhance certificate security, organizations should employ multiple layers of protection:
- Multi-factor Authentication: Require MFA for all certificate management operations
- Least Privilege Access Implement strict access controls for certificate-related systems
- Regular Audits: Conduct periodic security audits of certificate management processes
- Incident Response Testing Test response procedures through regular drills
Industry Impact and Future Considerations
Implications for Certificate Authorities
The DigiCert incident and subsequent Microsoft Defender false positives have significant implications for the certificate authority industry:
- Enhanced Security Requirements: Certificate authorities may face increased scrutiny and security requirements
- Improved Breach Response: Need for more robust incident response capabilities
- Customer Communication Better transparency during security incidents
- Third-Party Security Strengthening protections for support and administrative systems
Lessons for Security Tool Vendors
Microsoft’s experience with this false positive provides valuable lessons for all security vendors:
- Quality Control: Enhanced testing procedures for signature updates
- False Positive Management Better mechanisms for detecting and correcting false positives
- Communication Improved transparency during incidents
- Customer Support Enhanced support for affected customers during incidents
Frequently Asked Questions
Q1: Should I be concerned about the Cerdigent Trojan detection on my system?
A: If you’re seeing “Trojan:Win32/Cerdigent.A!dha” detections on legitimate DigiCert certificates, this is a confirmed false positive. Microsoft has acknowledged the issue and released a fix in Security Intelligence update 1.449.431.0. The detections are targeting root certificates in the Windows trust store, not actual malware infections.
Q2: Will the false positive cause any permanent damage to my system?
A: No, the false positive should not cause permanent damage. Microsoft Defender’s automatic restoration process should return the certificates to your trust store. If you’re experiencing issues, ensure your system is updated to the latest Security Intelligence version and consider manually checking your certificate status using the certutil command mentioned in this article.
Q3: How can I verify that my certificates have been properly restored?
A: You can verify certificate restoration by running the following command in an elevated Command Prompt: certutil -store AuthRoot | findstr -i "digicert". This should show your DigiCert certificates are present in the trust store. You can also check Microsoft Defender for Endpoint logs for “RegistryKeyCreated” events around May 3, 2026, which indicate certificate restoration activity.
Q4: What should I do if my security software is still detecting these certificates as threats?
A: If other security software continues to detect these certificates, first ensure your Microsoft Defender is updated to version 1.449.431.0 or later. For other security tools, check for updates from their respective vendors. As a temporary workaround, you may need to add exclusions for the specific certificate thumbprints, but this should not be necessary once all vendors have updated their detection rules.
Q5: Does this incident indicate that my system was actually compromised?
A: No, this incident is purely a false positive issue. The certificates being flagged are legitimate, trusted root certificates from DigiCert. There is no indication that the actual detection of Cerdigent.A!dha represents a real malware infection on systems that received these alerts. Microsoft has confirmed that the issue was with the detection logic, not with the certificates themselves.
Q6: How can I prevent similar incidents in the future?
A: To prevent similar incidents, organizations should implement enhanced testing procedures for security updates, establish staged rollout processes, and maintain comprehensive monitoring of certificate trust stores. Regular security audits and employee training on incident response procedures can also help mitigate the impact of future incidents.
References
Official Sources:
- Microsoft Security Intelligence Update Information – Microsoft Q&A – Trojan:Win32/Cerdigent.A!dha
- DigiCert Security Incident Report – Mozilla Bugzilla – DigiCert: Misissued code signing certificates
Security News Sources:
- BleepingComputer – Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha
- CyberSecurity News – Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware
- Security Boulevard – Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware
Technical Analysis:
- Neowin – Microsoft Defender flagging “Cerdigent” trojan malware on Windows 11, Server PCs worldwide
- Eleven Forum – Windows Defender Threat Detected : Trojan:Win32/Cerdigent.A!dha
- Malwarebytes Forums – Trojan:Win32/Cerdigent.A!dha – Windows Malware Removal Help & Support
Social Media and Community Reports:
- Reddit r/cybersecurity – Trojan:Win32/Cerdigent.A!dha Discussion
- Reddit r/cybersecurity – Microsoft Defender Endpoint flagging DigiCert certificate as malicious
- X/Twitter Reports from Security Researchers – Florian Roth (@cyb3rops), Squiblydoo (@SquiblydooBlog), MalwareHunterTeam (@malwrhunterteam)
Conclusion
The Microsoft Defender false positive incident involving Cerdigent.A!dha detections represents a significant case study in the challenges of balancing proactive threat detection with operational stability. While the incident has been resolved, it serves as an important reminder of the complex interplay between security tools, certificate authorities, and enterprise systems.
Organizations should use this incident as an opportunity to review their certificate management practices, security update procedures, and incident response capabilities. By implementing the lessons learned from this event, security teams can better prepare for and respond to similar incidents in the future.
Microsoft’s quick response in releasing corrective updates and restoring certificates demonstrates the importance of vendor transparency and rapid incident resolution. As the cybersecurity landscape continues to evolve, such collaborative efforts between vendors and the security community will be essential for maintaining trust and ensuring effective protection against emerging threats.