Microsoft Defender Flags Legit DigiCert Certs as Trojans

Windows Defender started flagging legitimate DigiCert root certificates as high-severity malware earlier today, triggering panic among system administrators and home users worldwide. Microsoft has since corrected the faulty detection, but not before some users wiped their machines believing they were genuinely infected. The incident marks another rough week for Microsoft security after a critical Entra ID privilege escalation flaw was disclosed just days ago.

The false positive began appearing after Microsoft pushed Security Intelligence update version 1.449.424.0. Defender detected two trusted DigiCert root certificates in the Windows certificate store as "Trojan:Win32/Cerdigent.A!dha" and, in some cases, automatically removed them from the system.

What Happened

The problematic signature update targeted two specific DigiCert root certificate hashes:

• 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
• DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 (DigiCert Trusted Root G4)

These certificates sit in nearly every Windows installation and anchor the trust chain for countless websites and applications. When Defender flagged and removed them, affected systems lost the ability to validate certificates signed by DigiCert—one of the largest certificate authorities in the world.

Reports flooded Microsoft's Q&A forums and community sites within hours. Users described identical alerts across Windows 11 desktops, Windows Server installations, and enterprise environments. Some, unfamiliar with certificate management, assumed the worst and reinstalled their operating systems.

Why Microsoft Flagged the Certificates

The timing wasn't coincidental. The false positive emerged shortly after DigiCert disclosed a genuine security incident involving compromised code-signing certificates.

According to a Mozilla Bugzilla report documenting the incident, a threat actor compromised a DigiCert support analyst's machine in early April 2026. The attacker delivered a malicious ZIP file disguised as a customer screenshot, gaining access to initialization codes for code-signing certificates. DigiCert ultimately revoked 60 certificates—27 directly linked to the "Zhong Stealer" malware campaign. The technique mirrors supply chain attacks we've tracked where attackers abuse trusted distribution channels to spread credential-stealing payloads.

Microsoft apparently intended to detect those compromised code-signing certificates. Instead, the signature update accidentally flagged DigiCert's root CA certificates—completely different entities that had nothing to do with the breach.

It's the kind of mistake that highlights how complex certificate infrastructure has become. Root certificates and code-signing certificates serve different purposes in the trust hierarchy, but a pattern-matching error in Defender's signature database conflated the two.

The Fix

Microsoft corrected the detection in Security Intelligence update versions 1.449.430.0 and 1.449.431.0. The update not only stops the false alerts but also restores previously removed certificates to the Windows trust store—at least for users who haven't already taken more drastic action.

To manually update, open Windows Security, navigate to Virus & threat protection, click Protection updates, then select Check for updates. Defender should pull the corrected signatures automatically within hours for most users.

For enterprise administrators, KB2267602 addresses the issue across managed endpoints.

Not Microsoft's First Detection Mishap

This isn't the first time Defender signature updates have caused disruption. Similar incidents have occurred with varying degrees of severity—from flagging legitimate business applications as malware to quarantining essential Windows components. Last month, researchers discovered 73 malicious VS Code extensions that sat dormant for months before activating—a reminder that even security tools designed to protect developers can become vectors for compromise.

False positives are an unavoidable trade-off in malware detection. Signature databases covering millions of threats will occasionally misidentify benign files. What matters is response speed—and Microsoft's turnaround here was relatively quick, with corrected signatures available within the same day.

Still, for users who already nuked their systems or spent hours troubleshooting phantom infections, the "fix" comes too late.

What Organizations Should Do

If your environment uses DigiCert certificates (most do, whether you realize it or not), verify that the latest Defender signatures have been applied. Check certificate stores on affected machines to confirm the DigiCert root certificates are present:

1. Open Certificate Manager (certmgr.msc)
2. Navigate to Trusted Root Certification Authorities > Certificates
3. Verify DigiCert entries are present

Systems that had certificates removed before the fix may experience TLS validation errors for sites and applications using DigiCert-issued certificates. Restoring the affected machines to a known-good state or manually importing the DigiCert roots will resolve those issues.

For the broader security community, this incident serves as a reminder that antivirus detections shouldn't be taken at face value—especially when they target system-level components like root certificates. When Defender claims your certificate store contains a high-severity trojan, a moment of skepticism and a quick search can prevent unnecessary remediation.

Follow our hacking news coverage for updates on incidents affecting Windows security and enterprise infrastructure.