CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft Defender false-positive detections targeting DigiCert root certificates resolved

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Microsoft Defender erroneously flagged and removed legitimate DigiCert root certificates as malware Trojan:Win32/Cerdigent.A!dha starting April 30, 2026, affecting Windows systems globally. The false positives stemmed from a Defender signature update and led to certificate removal from the Windows AuthRoot trust store, causing operational disruptions. Microsoft issued corrected definitions in Security Intelligence updates 1.449.430.0 and 1.449.431.0, which restore affected certificates automatically. The incident occurred shortly after a DigiCert security breach where attackers obtained valid code-signing certificates to sign malware, though the root certificates flagged by Defender are unrelated to the revoked signing certificates. The false positives triggered unnecessary remediation actions by users.

Timeline

  1. 03.05.2026 21:11 1 articles · 1h ago

    Microsoft Defender false-positive detections of DigiCert root certificates corrected after signature update

    On April 30, 2026, Microsoft Defender began erroneously flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, causing certificate removal from the Windows trust store and widespread false alerts. Microsoft issued corrected Security Intelligence updates (versions 1.449.430.0 and 1.449.431.0) that restored removed certificates and prevented further false positives. Affected systems can manually update via Windows Security > Virus and threat protection > Protection updates.

    Show sources
    Open in new tab

Information Snippets

  • Microsoft Defender signature update released on April 30, 2026, introduced detections for DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, causing false-positive alerts.

    First reported: 03.05.2026 21:11
    1 source, 1 article
    Show sources

  • Affected DigiCert root certificates identified by their SHA-1 thumbprints: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4.

    First reported: 03.05.2026 21:11
    1 source, 1 article
    Show sources

  • DigiCert certificates were removed from the Windows AuthRoot store via Registry key HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\, disrupting TLS and code-signing validation on impacted systems.

    First reported: 03.05.2026 21:11
    1 source, 1 article
    Show sources

  • Microsoft corrected the detections in Security Intelligence update versions 1.449.430.0 and 1.449.431.0, restoring removed certificates automatically and preventing further false positives.

    First reported: 03.05.2026 21:11
    1 source, 1 article
    Show sources

  • DigiCert disclosed a security incident in early April 2026 where attackers targeted support staff using phishing emails with malicious ZIP files, ultimately obtaining initialization codes to procure EV code-signing certificates later used to sign malware.

    First reported: 03.05.2026 21:11
    1 source, 1 article
    Show sources

  • DigiCert revoked 60 code-signing certificates, including 27 linked to malware campaigns identified prior to public disclosure of the breach.

    First reported: 03.05.2026 21:11
    1 source, 1 article
    Show sources

  • Malware campaigns observed using legitimate DigiCert EV certificates included components signed with certificates issued to Lenovo, Kingston, Shuttle Inc, and Palit Microsystems, linked to a Chinese crime group tracked as GoldenEyeDog (APT-Q-27).

    First reported: 03.05.2026 21:11
    1 source, 1 article
    Show sources