False Alarm: Microsoft Defender vs. DigiCert Root Certificates

A widespread security incident occurred on May 3, 2026, when a faulty Microsoft Defender signature update (version 1.449.424.0) began incorrectly flagging legitimate DigiCert Root Certificates as high-severity malware. The detection, labeled Trojan:Win32/Cerdigent.A!dha, caused panic among IT departments worldwide as the “infection” appeared on thousands of clean systems simultaneously.

1. The “Cerdigent” False Positive

The “Trojan” alert wasn’t actually a virus; it was a hash mismatch error. Microsoft’s security engine began targeting the cryptographic fingerprints of two essential internet building blocks:

DigiCert Assured ID Root CA
DigiCert Trusted Root G4

These certificates are stored in the Windows Registry. Because Defender identified them as a “Trojan,” it followed its standard protocol: it quarantined the registry entries, effectively deleting them from the system’s trusted root store.

2. The Impact: A “Broken” Internet

Since these certificates are used to verify the identity of millions of websites and software packages, their removal caused immediate downstream failures:

SSL/TLS Failures: Browsers like Edge and Chrome began throwing “Connection Not Private” errors for secure websites.
Code-Signing Breaks: Legitimate software and drivers signed by DigiCert failed to run, as Windows could no longer verify their authenticity.
Administrative Chaos: IT admins saw hundreds of “Severe” alerts in their dashboards, leading some to trigger emergency isolation protocols or even wipe/reset systems unnecessarily.

3. The Fix: Version 1.449.430.0

Microsoft acknowledged the error and released a corrective update within hours.

Auto-Correction: Signature version 1.449.430.0 (and later) contains logic that not only stops the detection but automatically restores the quarantined certificates.
Verification: If you were affected, you can verify your system is clean by checking your Defender version or running the following command in PowerShell:

certutil -store AuthRoot | findstr -i "digicert"

4. Summary of the Incident

Feature	Faulty Detection (May 3, 2026)	The Reality
Detection Name	Trojan:Win32/Cerdigent.A!dha	False Positive
Targeted Files	Registry entries for DigiCert	Trusted Root Certificates
Remediation	Automatic Quarantine	SSL/TLS & Code-Signing Failure
Status	Critical Threat	Resolved (Update .430+)

Flash News

Beyond Biodiversity: The Tragic Link Between Vulture Loss and 100,000 Deaths

The New Delhi Pivot: Why Araghchi’s BRICS Visit is a Warning to the UAE

Inside Mamata Banerjee’s Rare Appearance at Calcutta High Court

Inside Mamata Banerjee’s Rare Appearance at Calcutta High Court

Why the Best iPhone is the One You Don’t Buy Yet

OpenAI’s Privacy Meltdown: The $50 Million “Address Leak” Scandal

The $300 Chipset: Why Qualcomm’s 2nm Snapdragon 8 Elite Gen 6 Pro is Breaking the Bank

Instagram Instants: Meta’s “Aggressive” Play to Kill the Snapchat Resurgence

Global Markets Stall as Trump-Xi Summit Meets AI Cooling

The Hormuz Black Hole: Why the Global Energy Recovery Could Take Until 2027

False Alarm: Microsoft Defender vs. DigiCert Root Certificates

1. The “Cerdigent” False Positive

2. The Impact: A “Broken” Internet

3. The Fix: Version 1.449.430.0

4. Summary of the Incident

Leave a Reply Cancel reply