Microsoft Defender False Positive: DigiCert Certs Flagged as Trojan:Win32/Cerdigent.A!dha — Detection & Remediation | Security Arsenal

A significant definition update error in Microsoft Defender has resulted in the widespread false-positive detection of legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha. For security practitioners, this represents an immediate availability and integrity risk. In affected environments, Defender is not merely alerting; it is actively quarantining or deleting these certificates from the Windows Certificate Store. This action breaks the chain of trust for numerous applications and services reliant on DigiCert, potentially causing outages for VPNs, secure web gateways, and internal code-signing verification. Defenders must act immediately to identify affected endpoints, restore the quarantined certificates, and prevent recurrence.

Technical Analysis

Affected Products: Windows 10, Windows 11, Windows Server 2016+ utilizing Microsoft Defender Antivirus.
Detection Name: Trojan:Win32/Cerdigent.A!dha
Mechanism: A flawed threat definition update incorrectly classified specific DigiCert root CA certificates as malicious. Windows Defender Antivirus, utilizing "Real-time protection," executed automated remediation actions against these files, removing them from the Cert:\LocalMachine\Root or Cert:\LocalMachine\AuthRoot stores.
Impact:
- Availability: Services requiring valid TLS/SSL certificates for DigiCert may fail to start or reject connections.
- Integrity: The trust store is modified without administrator consent, validating self-signed or untrusted certificates in some edge cases if intermediate CAs are affected.
Exploitation Status: This is a vendor-side error (False Positive), not an active exploit. However, the impact mimics a destructive wiper or supply-chain attack targeting PKI infrastructure. Microsoft has since released updated definitions to correct the classification.

Detection & Response

SIGMA Rules

YAML

---
title: Microsoft Defender False Positive - DigiCert Detection
id: 8f9c2d1e-4b3a-4c1d-9e5f-6a7b8c9d0e1f
status: experimental
description: Detects the specific false positive alert generated by Microsoft Defender identifying DigiCert certificates as Trojan:Win32/Cerdigent.A!dha.
references:
  - https://www.bleepingcomputer.com/news/security/microsoft-defender-wrongly-flags-digicert-certs-as-trojan-win32-cerdigentadha/
author: Security Arsenal
date: 2025/01/24
tags:
  - attack.impact
  - attack.t1565.001  # Data Manipulation: Stored Data Manipulation
logsource:
  product: windows
  category: antivirius
detection:
  selection:
    ThreatName|contains: 'Trojan:Win32/Cerdigent.A!dha'
falsepositives:
  - None (This indicates a known False Positive that must be investigated)
level: critical
---
title: Microsoft Defender Modifying Certificate Store
id: 9a0d3e2f-5c4b-4d2e-0f6a-7b8c9d0e1f2a
status: experimental
description: Detects Microsoft Defender process taking actions on files within the Certificate Store paths, indicating potential quarantine of legitimate certs.
references:
  - Internal Research
author: Security Arsenal
date: 2025/01/24
tags:
  - attack.defense_evasion
  - attack.t1112  # Modify Registry
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\MsMpEng.exe'
      - '\MpCmdRun.exe'
    TargetObject|contains:
      - 'SOFTWARE\Microsoft\SystemCertificates'
      - 'SOFTWARE\Policies\Microsoft\SystemCertificates'
  condition: selection
falsepositives:
  - Rare administrative actions
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for the specific False Positive Alert ID
DeviceEvents
| where ActionType == "ThreatDetected"
| extend ThreatName = tostring(AdditionalFields.ThreatName)
| where ThreatName contains "Cerdigent"
| project Timestamp, DeviceName, InitiatingProcessAccount, ThreatName, FolderPath, SHA256

// Check for Defender Quarantine actions that might indicate certificate removal
DeviceProcessEvents
| where FileName in ("MsMpEng.exe", "MpCmdRun.exe")
| where ProcessCommandLine contains "-RemoveDefinitions" 
   or ProcessCommandLine contains "quarantine"
| project Timestamp, DeviceName, FileName, ProcessCommandLine

Velociraptor VQL

VQL — Velociraptor

-- Hunt for the specific threat detection in Windows Defender Logs
SELECT * FROM
  parse_csv(filename='C:\ProgramData\Microsoft\Windows Defender\Support\MpDetection.log',
  columns=['Timestamp', 'Resource', 'DetectionID', 'ThreatName', 'Path', 'Process'])
WHERE ThreatName =~ 'Cerdigent'
LIMIT 100

Remediation Script (PowerShell)

PowerShell

<#
.SYNOPSIS
    Detects and Remediates Microsoft Defender DigiCert False Positive.
.DESCRIPTION
    1. Forces a Defender Definition Update to pull corrected signatures.
    2. Checks for the specific threat detection.
    3. Restores quarantined items matching the false positive.
    4. Verifies DigiCert presence in the Root store.
#>

# Step 1: Update Definitions immediately to pull the corrected logic
Write-Host "[+] Initiating Microsoft Defender Definition Update..."
& "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -SignatureUpdate

# Step 2: Check for the False Positive in Threat History
Write-Host "[+] Checking for Trojan:Win32/Cerdigent.A!dha in threat history..."
$threatFound = Get-MpThreatDetection | Where-Object { $_.ThreatName -like '*Cerdigent*' }

if ($threatFound) {
    Write-Host "[!] False Positive detected on this host." -ForegroundColor Yellow
    
    # Step 3: Restore Quarantined Items (General Restore)
    # Note: If this script runs, it assumes the FP caused the quarantine.
    Write-Host "[+] Restoring items from quarantine..."
    Start-Process -FilePath "$env:ProgramFiles\Windows Defender\MpCmdRun.exe" -ArgumentList "-Restore -All" -NoNewWindow -Wait
} else {
    Write-Host "[*] No threat detection found for Cerdigent."
}

# Step 4: Verify Critical DigiCert Root Certificates are present
Write-Host "[+] Verifying DigiCert Root Certificates in LocalMachine Store..."
$digicertRoots = Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.Issuer -like "*DigiCert*" }

if ($digicertRoots) {
    Write-Host "[+] Found $($digicertRoots.Count) DigiCert Root Certificates. Store appears intact."
} else {
    Write-Host "[!] CRITICAL: No DigiCert Root Certificates found. Manual import of root certs may be required." -ForegroundColor Red
}

# Step 5: Optional: Add Exclusion if needed (Use with caution, per organizational policy)
# Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"

Remediation

To resolve this issue across your environment, follow these prioritized steps:

Update Intelligence: Ensure all endpoints have received the latest Microsoft Defender platform and definition updates. The vendor has corrected the faulty definition. Force an update on critical infrastructure if automatic updates are delayed.
Restore Quarantine: On systems where certificates were quarantined, you must restore them.
- Automated: Use the provided PowerShell script to attempt a global restore.
- Manual: Open Windows Security -> Virus & threat protection -> Protection history -> Filter by "Quarantined items" -> Restore all items flagged as Trojan:Win32/Cerdigent.A!dha.
Verify Trust Chain: After restoration, validate that applications relying on TLS (VPNs, Browsers, Agents) are functioning correctly.
System Restart: In cases where the certificate was deleted from memory or active processes held locks on the file handle, a system restart may be required to re-establish the trust chain correctly.
Vendor Advisory: Monitor Microsoft Security Intelligence for official confirmation ID updates regarding this false positive.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

Microsoft Defender False Positive: DigiCert Certs Flagged as Trojan:Win32/Cerdigent.A!dha — Detection & Remediation