Defender false-positive yanks DigiCert root certs after botched response to cert breach

Microsoft Defender began flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha after a signature update on April 30th, with the bad detections removing two specific roots (thumbprints 0563B8…D43 and DDFB16…5E4) from the Windows AuthRoot trust store on affected machines. Administrators reported widespread alerts and some users wiped and reinstalled Windows believing they were compromised. Microsoft has shipped a fix in Security Intelligence update 1.449.430.0 that suppresses the alerts and restores the deleted certificates.

Microsoft confirmed the bad detections were a misfired response to a recent DigiCert breach in which attackers compromised a support analyst via a malicious ZIP disguised as a screenshot, then leveraged an internal support-portal feature to view customer accounts and harvest initialization codes for approved-but-undelivered EV code-signing certificate orders. DigiCert revoked 60 certificates, 27 of which were tied to the ‘Zhong Stealer’ campaign attributed to Chinese group GoldenEyeDog (APT-Q-27), with certs issued under names like Lenovo, Kingston, Shuttle, and Palit used to sign the malware.

The critical detail Microsoft botched: the root certificates Defender ripped out are not the revoked code-signing certs used by the attackers. The detection logic conflated DigiCert’s trust-anchor roots with the abused EV signing certs, breaking certificate validation system-wide on patched endpoints. It’s a clean illustration of how a rushed AV signature push, aimed at a real threat, can cause more operational damage than the threat itself.