Microsoft Defender Flags DigiCert Root Certificates as Trojan
Recently, Microsoft Defender was found misclassifying trusted DigiCert root certificates as malware, giving them the name “Trojan:Win32/Cerdigent.A!dha.” In some cases, this has gone even further, where the software removed the certificates from the Windows certificate store, causing significant disruption for IT professionals around the world.
What Was Reported
Administrator reports began surfacing from several regions indicating that reputable DigiCert root certificates were being flagged as malicious, with some cases involving their automatic removal from the system.
The certificates in question were:
- 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
- DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
Impact on Systems
These certificates being a fundamental part of the Windows trust architecture led to major disruptions like:
- Security alerts referencing Cerdigent across multiple systems.
- Disruption of certificate-based trust validation.
- Potential warnings or blocking of legitimate applications
- Certificate validation failure
Some users even thought that their systems had been hacked and reinstalled their Windows unnecessarily.
Detection Name
The false positives were associated with the following Defender detection:
Trojan:Win32/Cerdigent.A!dha
Microsoft’s Response and Fix
Microsoft has fixed the problem through updated definitions for Defender Security Intelligence.
These updates included:
- Security Intelligence Update 1.449.430.0
- Latest Security Intelligence 1.449.439.0
It appears that the new definitions block not only the false alerts, but also restore revoked certificates in case of the issue.
Microsoft’s Official Statement
“We’ve received reports from a subset of affected tenants utilizing Microsoft Defender Antivirus who may be receiving alerts notifying them of a false positive detection in Defender Antivirus, which reads as, “ThreatName – Trojan:Win32/Cerdigent.A!dha.” We’ve isolated that the threat was a detection logic issue in a recent Security Intelligence update which caused legitimate files or certificates to be incorrectly identified as “Trojan:Win32/Cerdigent.A!dha.” We’ve created and implemented new false positive suppression rules to prevent users from being impacted by these alerts, and we’ve also published a new version of Microsoft Defender Antivirus Security Intelligence (Version 1.449.430.0) containing a hotfix to remediate the alerts, which we urge users to upgrade to at this time. Simultaneously, we’re working to restore files and certificates that were incorrectly quarantined due to the alerts, and we aim to provide a timeline to remediation as soon as one becomes available”
Possible Link to DigiCert Incident
According to DigiCert, the attackers carried out a phishing attack by tricking one of their customer support representatives to open a zip file which was made to resemble a screenshot. The end result was limited access into their systems.
DigiCert said that the attackers were able to obtain initialization codes for some of the certificate applications and then combined them with legitimate applications of issuing code signing certificates.
Key points according to DigiCert:
Some of the EV code signing certificates have been compromised
60 code signing certificates have been revoked
