Full Report
Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows. [...]
Analysis Summary
# Incident Report: Microsoft Defender False Positive - Trojan:Win32/Cerdigent.A!dha
## Executive Summary
A Microsoft Defender signature update (v1.449.x) incorrectly flagged legitimate DigiCert root certificates as malware, specifically "Trojan:Win32/Cerdigent.A!dha." This resulted in widespread false-positive alerts and the automated removal of root certificates from the Windows AuthRoot trust store, causing significant operational concern. Microsoft has since released a fix that ceases the detection and reportedly restores the deleted certificates.
## Incident Details
- **Discovery Date:** May 3, 2026 (Widespread reporting)
- **Incident Date:** April 30, 2026 (Initial signature rollout)
- **Affected Organization:** Microsoft (Vendor), DigiCert (Indirectly), and global Windows users/admins
- **Sector:** Information Technology / Global
- **Geography:** Worldwide
## Timeline of Events
### Initial Access
- **Date/Time:** April 30, 2026
- **Vector:** Routine Software Update
- **Details:** Microsoft added a new detection signature for "Trojan:Win32/Cerdigent.A!dha" to Defender’s Security Intelligence updates.
### Lateral Movement
- **N/A:** As this was a false positive triggered by a security vendor's signature update, there was no attacker lateral movement within the affected environments.
### Data Exfiltration/Impact
- **Data Loss:** Potential loss of trust in the Windows Certificate Store.
- **Impact:** Automated removal of valid DigiCert root certificates located in `HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\`. This led to system instability for applications relying on those certificates for trust verification.
### Detection & Response
- **How it was discovered:** System administrators and security researchers (including Florian Roth) noticed a surge in alerts and missing certificates.
- **Response actions taken:** Microsoft released Security Intelligence update version **1.449.430.0** to remediate the false positive and restore removed registry entries.
## Attack Methodology
*Note: This section describes the "GoldenEyeDog" (APT-Q-27) activity that likely triggered the aggressive Microsoft signature, though the incidents are distinct.*
- **Initial Access:** Phishing emails containing malicious ZIP files/fake screenshots targeting DigiCert support staff.
- **Persistence:** Not specified in the article.
- **Privilege Escalation:** Use of internal support portals to view customer accounts from a customer perspective.
- **Defense Evasion:** Use of legitimate EV Code Signing certificates to sign "Zhong Stealer" malware.
- **Credential Access:** Procurement of "initialization codes" for approved but undelivered EV certificates.
- **Discovery:** Identifying undelivered certificate orders within the support environment.
- **Lateral Movement:** Compromise of an initial support analyst's device, followed by a second system via a "sensor gap."
- **Collection:** Gathering certificate initialization codes.
- **Exfiltration:** Transferring codes to the threat actor's infrastructure to generate valid certificates.
- **Impact:** (In the context of the Defender incident) Disruption of Windows trust stores and unnecessary system re-imaging by concerned users.
## Impact Assessment
- **Financial:** High operational costs for IT departments troubleshooting alerts; costs associated with users unnecessarily re-installing operating systems.
- **Data Breach:** None (False Positive scenario).
- **Operational:** Widespread business disruption due to certificate trust failures and "noise" in Security Operations Centers (SOCs).
- **Reputational:** Minor impact to Microsoft and DigiCert due to the nature of the false-positive link.
## Indicators of Compromise
### File/Registry Indicators
- `HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43` (Flagged/Removed)
- `HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4` (Flagged/Removed)
- Name: `Trojan:Win32/Cerdigent.A!dha`
## Response Actions
- **Containment:** None required; the "threat" was a false positive.
- **Eradication:** Manual and automatic updates of Microsoft Defender signatures to version **1.449.430.0** or higher.
- **Recovery:** Automatic restoration of the registry keys by the updated Microsoft signature.
## Lessons Learned
- **Signature Testing:** Aggressive malware signatures targeting certificate-related artifacts must be strictly validated against Windows root trust stores.
- **Supply Chain Sensitivity:** Disclosures of upstream breaches (like DigiCert's) can lead to downstream "collateral damage" in the form of overly-broad security configurations.
- **End-User Communication:** Early public confirmation of false positives is essential to prevent users from taking destructive recovery actions like OS re-installs.
## Recommendations
- **Verify Updates:** Ensure all Windows endpoints have updated to Defender signature **1.449.430.0** or later.
- **Monitor Trust Stores:** Implement monitoring for unauthorized or unexpected changes to the Windows AuthRoot registry keys.
- **Incident Validation:** Cross-reference unexpected "Trojan" alerts on core system files or certificates with community threat intelligence (Reddit, X, vendor bulletins) before performing destructive remediation.