Microsoft Defender Flags DigiCert Certs as Trojan, Causing False Positives

On March 24, 2026, Microsoft Defender began flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha after a signature update. The detection impacted multiple DigiCert roots, including DigiCert Global Root CA and DigiCert Global Root G2, and triggered alerts across enterprise Windows environments. In some cases Defender removed the certificates from the Windows certificate store, breaking code‑signing validations and TLS handshakes that rely on those trusted anchors.

The malicious signature, version 1.371.0.6, matched a SHA‑256 pattern that coincidentally overlapped with the public‑key fields of the DigiCert roots. Defender’s behavior‑based heuristics flagged the certificate metadata as suspicious, quarantined the files, and deleted the root entries, generating Event ID 1000 “Certificate Store Corrupted” errors. Consequently, signed executables failed Authenticode checks, automatic updates that depend on certificate trust chains halted, and services requiring TLS authentication reported handshake failures.

Microsoft acknowledged the issue in a Tech Community post, indicating that a fix is being prepared and advising administrators to add the affected DigiCert certificates to the Windows Security “Exclusions” list. As an interim measure, the company recommends reverting the signature update via WSUS or manually re‑importing the DigiCert roots from the official DigiCert repository using the Certificates snap‑in. Organizations should audit their certificate stores for unexpected deletions and restore any removed roots to prevent lingering trust‑chain disruptions.

The incident highlights the supply‑chain risk of automated detection on widely trusted components. Even though the false positives were confined to a single AV engine, the removal of root certificates can cascade through software distribution, secure communications, and compliance logging. Security teams are urged to monitor for similar signature‑related anomalies, enforce certificate‑policy controls that alert on unexpected root deletions, and maintain offline backups of critical certificates to mitigate future incidents.