Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha

Microsoft Defender is incorrectly flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha. The false-positive detection triggers widespread alerts and causes Windows to remove valid certificates from affected systems.

This detection error creates operational friction across organizations relying on DigiCert certificates for SSL/TLS traffic, code signing, and internal authentication. Legitimate certificate operations are interrupted while defenders investigate alerts that pose no actual threat.

The root cause appears tied to Microsoft's signature-based detection logic. DigiCert certificates matching specific characteristics trigger the malware classifier despite their legitimate origin and trust status. Systems running current Defender definitions automatically quarantine or remove the certificates without administrative intervention.

Affected organizations face two immediate problems. First, they must whitelist DigiCert certificates to restore normal operations. Second, they need to restore any certificates already deleted from their certificate stores.

Microsoft and DigiCert have acknowledged the issue. Defenders should immediately review Defender activity logs for Cerdigent.A!dha detections and verify certificate status on critical systems. Add affected DigiCert certificates to Defender exclusions pending an updated signature release. For environments using DigiCert certificates at scale, coordinate restoration procedures to prevent service interruption during the fix window.