Microsoft Defender has recently identified legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, causing a surge in false-positive alerts and, in some instances, the deletion of certificates from Windows systems.
Cybersecurity expert Florian Roth highlighted that the problem emerged following Microsoft’s inclusion of the detections in a Defender signature update on April 30th.
Reports from administrators worldwide began surfacing, stating that DigiCert root certificate entries were being marked as malware and, on impacted devices, removed from the Windows trust store.
Per a Reddit post discussing the false positives, the identified certificates are:
These certificates were deleted from the AuthRoot store under the Registry key:
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\
These false positives have caused anxiety among Windows users, with some resorting to reinstalling the operating system to ensure safety.
Microsoft has reportedly rectified the detections in Security Intelligence update version 1.449.430.0, with the latest update now at 1.449.431.0.
Further Reddit reports indicate that the fix also reinstates previously removed certificates on affected systems.
The new Microsoft Defender updates will be automatically installed, and users can manually trigger an update by navigating to Windows Security > Virus and threat protection > Protection updates and selecting Check for Updates.
The false positives surfaced shortly after a disclosed security incident at DigiCert, where threat actors managed to obtain valid code-signing certificates for signing malware.
According to the DigiCert incident report, the attack targeted a member of the customer support team, leading to the compromise of a support analyst’s device and subsequent access to code-signing certificates.
In response, DigiCert revoked 60 code-signing certificates, including 27 involved in malware activities.
Prior to the disclosure, security researchers observed newly issued DigiCert EV certificates being used in malware campaigns, with certificates from reputable companies like Lenovo and Kingston being exploited.
The malware campaign, known as “Zhong Stealer,” employed phishing emails and signed binaries to distribute malicious payloads.
While Microsoft has not confirmed a direct link between the Defender detections and the DigiCert incident, the timing and focus on DigiCert-related certificates suggest a potential correlation.
It’s important to note that the certificates flagged by Microsoft Defender are root certificates in the Windows trust store and differ from the revoked DigiCert code-signing certificates used for malware.
BleepingComputer reached out to Microsoft for further insights on the campaign, including any ties to the DigiCert breach.
AI combined four zero-days into one exploit to bypass both renderer and OS sandboxes. Expect a wave of new exploits.
At the Autonomous Validation Summit (May 12 & 14), witness how autonomous, context-rich validation identifies vulnerabilities, confirms controls, and completes the remediation cycle.
Claim Your Spot
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
