In recent days many Windows administrators and users saw alerts linking legitimate DigiCert certificates to detection Trojan: Win32 / Cerdigent.A! dha from Microsoft Defender; in some teams those certificates were even removed from the Windows Trust Store (AuthRoot), causing confusion and, in extreme cases, unnecessary reinstallations of the operating system.
The immediate cause was an update of Defender's signatures sent in late April that added that detection; Microsoft then distributed corrections to the security intelligence versions 1.449.430.0 and successor 1.449.431.0 to remove the false positive and, according to reports, restore deleted certificates in affected systems. The detection description is available in the Microsoft encyclopedia: Microsoft Malware Encyclopedia, and the initial technical coverage following the incident is available on BleepingComputer: BleepingComputer.
This event comes in parallel to a security incident in DigiCert where attackers obtained "initialization codes" that allowed to issue some EV code signature certificates, several of which were used to sign malware. This gap explains why researchers saw DigiCert certificates linked to malicious campaigns, but the entries that Defender marked were root certificates in the trust warehouse, not necessarily the revoked code signature certificates, which adds complexity to the research and increases the risk of collateral damage to the automatic management of signatures by AV solutions.
The practical implications are important: the removal or alteration of the AuthRoot can produce TLS / HTTPS errors, errors in validation of code signatures and problems in applications that depend on the system's confidence chain. For organizations this can be translated into inaccessible services, signatures rejected by Windows SmartScreen or interruptions in deployment flows and updates.
If your environment was affected, avoid drastic actions like reinstalling the system without first verifying basic facts. First, forges the update of Defender's signatures(Windows Security > Virus and Threat Protection > Protection Updates > Search for updates) or check for PowerShell the signature version with Get-MpComputerStatus (Defender module). After updating, check if the certificates were automatically restored and run a complete analysis with Defender to confirm that there are no malicious remains.
If the certificates remain absent, check the local warehouse and records: with PowerShell you can list the local root store (Cert:\ LocalMachine\ AuthRoot) and export / re-import legitimate certificates if you have a copy. Windows can also recover roots through the automatic certificate update service, and if you need to manually restore you can use certutil or PowerShell to add reliable certificates. In any case, it keeps copies of the certificates and the registration before making changes and documents the audit intervention.
In addition to restoring confidence, it adopts post-incident controls: it verifies system integrity with SFC / scannow and DISM / Online / Cleanup-Image / RestoreHealth, reviews recent login and accesses, breaks exposed administrative credentials and applies search for commitment indicators (IoC) related to the campaign that used compromised certificates. If you manage many endpoints, prioritize the updating of signatures in your central administration tools and monitor help desks and forums to diagnose devices that have received automatic removal actions.
Finally, it is important to separate two related but different problems: the fraudulent issue or malicious use of signature certificates (the problem originating in DigiCert) and the false positive antivirus solutions that affect root certificates. For monitoring and technical context, check the public trail of the DigiCert incident (discussion on technical platforms such as Mozilla's tracking bug) and Microsoft's disclosure on detection: Bugzilla on the DigiCert incident.
If you need to, I can help you write specific procedures to audit and, if appropriate, restore certificates on a team or fleet, including recommended commands and minimum forensic checks before accepting any automatic restoration.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...