THE CIRCUITRYYour one-stop source for all tech news

Home/Tech/Defender Falsely Flags DigiCert Root Certs as Malware

VERIFIEDBy Xavier Rivera· ·1 min read

Defender Falsely Flags DigiCert Root Certs as Malware

Microsoft Defender wrongly flags legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, causing false alerts and trust store removals after an April 30 update. Microsoft has fixed it in the latest security intelligence update amid a recent DigiCert breach that exposed code-signing certificates to attackers.

Source:BleepingComputer

Post

Defender Falsely Flags DigiCert Root Certs as Malware

TL;DRAI · 60 sec read

Microsoft Defender detects legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, triggering widespread false-positive alerts and, in some cases, removing certificates from the Windows trust store.

Cybersecurity expert Florian Roth notes the issue emerged after Microsoft added the detections in a Defender signature update on April 30. Administrators worldwide report DigiCert root certificate entries flagged as malware, with affected systems removing them from the AuthRoot store under the registry key HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\.

From The CircuitryThe Feed — live briefs across tech, all day.See what’s happening →

The flagged certificates bear hashes 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4. Concerned Windows users have reinstalled their operating systems, fearing infection.

Microsoft reportedly fixes the detections in Security Intelligence update version 1.449.430.0; the latest is now 1.449.431.0. The update also restores removed certificates and installs automatically, though users can force it via Windows Security > Virus and threat protection > Protection updates > Check for updates.

The false positives follow a recent DigiCert security incident where threat actors obtained valid code-signing certificates for malware. Attackers targeted support staff in early April with malicious ZIP files disguised as screenshots. After compromising devices, they accessed initialization codes for pending EV code-signing orders via an internal portal, leading DigiCert to revoke 60 certificates, including 27 linked to malware.

EXPERT TAKE

Expert Take: Administrators should check Windows Security for the latest Defender update to restore any removed DigiCert root certificates from the trust store.

Why this mattersAI · ~100 words

Tap a lens to see what this story means for you.

Reader-supported

DonateBuy me a coffee →Follow@thecircuitry_ →Follow@thecircuitry.to →

Reader-supported · Daily Brief

Daily brief at 7 AM ET. Top tech stories, every morning. Sourced and fact-checked.

HELP US IMPROVE

Reader-supported

The Circuitry is a passion project I've always wanted to build, and I love the work behind it.

Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.

Any contribution is appreciated. If not, no pressure. Thanks for reading.

Buy me a coffee

Microsoft Defender DigiCert

MORE IN TECH

Qualcomm launches Dragonfly C1000 CPU for data centers with Meta as key client

Qualcomm introduced its Dragonfly C1000 data center CPU engineered for agentic AI on Wednesday and confirmed Meta as a customer once production begins in 2028. The announcement underscores the mobile-centric chipmaker's drive into higher-growth data center segments where energy efficiency has become a decisive factor amid surging AI-agent workloads.

Google to lower Play Store fees in US, Europe, UK on June 30

Google is set to implement lower Play Store fees and external payment options in Europe, the UK, and the US starting June 30 as part of its Epic Games settlement. The changes introduce a 10 percent service fee on the first $1 million in annual earnings for small developers and expand globally through 2027.

CISA Warns Hackers Are Actively Exploiting Severe Ubiquiti Flaws

CISA placed three severe Ubiquiti UniFi OS vulnerabilities and one critical Lantronix command injection flaw into its Known Exploited Vulnerabilities catalog on June 23, 2026, after confirming active attacks. Federal agencies must apply patches or mitigations within three days under BOD 26-04, while Bishop Fox demonstrated the Ubiquiti issues can be chained for full remote code execution and released a free detection script.