Microsoft Defender false positives trigger DigiCert certificate alerts

Microsoft Defender is incorrectly identifying legitimate DigiCert root certificates as malware, leading to widespread false-positive alerts and, in some instances, the removal of these critical certificates from Windows systems. This issue began after a Defender signature update on April 30th, causing administrators globally to report the erroneous detections and removals from the Windows trust store, based on information published by Bleeping Computer.

The false positives involved specific DigiCert root certificates, identified by their SHA-1 hashes, which were flagged as Trojan:Win32/Cerdigent.A!dha. This led to concern among users, with some resorting to reinstalling their operating systems. Microsoft has since released updates to its security intelligence, version 1.449.430.0 and later, which reportedly resolve the issue and restore removed certificates.

The timing of these false positives coincides with a recently disclosed DigiCert security incident where threat actors obtained valid code-signing certificates. While the Defender detections targeted root certificates and not the specific code-signing certificates used in malware campaigns, the proximity of events suggests a potential, though unconfirmed, link. The DigiCert incident involved a breach of a customer support team member's device, allowing attackers to acquire initialization codes for code-signing certificates, which were then used to sign malware, including the Zhong Stealer campaign.

Source: Bleeping Computer