GoKawiilMicrosoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows.
According to cybersecurity expert Florian Roth, the issue first appeared after Microsoft added the detections to a Defender signature update on April 30th.
Today, administrators worldwide began reporting that DigiCert root certificate entries were flagged as malware and, on affected systems, removed from the Windows trust store.
According to a Reddit post about the false positives, the detected certificates are:
0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
On impacted systems, these certificates were removed from the AuthRoot store under this Registry key:
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\
These false positives have led to concern among Windows users, with some thinking their devices were infected and reinstalling the operating system to be safe.
Microsoft Defender "Trojan:Win32/Cerdigent.A!dha" False Positive
... continue reading