Microsoft Defender began flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha after an April 30 signature update, causing false-positive alerts and removal of entries from the Windows trust store. Microsoft has released Security Intelligence updates to fix the detections and restore removed certificates, and the issue is possibly linked to a recent DigiCert incident that led to abused EV code-signing certificates. #DigiCert #ZhongStealer
Keypoints
- Microsoft Defender updates added detections for Trojan:Win32/Cerdigent.A!dha on April 30, resulting in legitimate DigiCert root certificates being flagged and removed.
- The specific affected certificate thumbprints reported include 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 and DDFB16CD4931C973A2037D3FC83A4D7D775D05E4.
- Removed certificates were deleted from the AuthRoot store under HKLMSOFTWAREMicrosoftSystemCertificatesAuthRootCertificates, causing trust issues for some Windows systems.
- Microsoft pushed fixes in Security Intelligence updates 1.449.430.0 and 1.449.431.0, which reportedly restore removed certificates and can be applied automatically or via Windows Security > Virus and threat protection > Protection updates.
- The false positives coincide with a DigiCert support breach that allowed threat actors to obtain initialization codes and EV code-signing certificates, some of which were linked to the Zhong Stealer campaign and revoked by DigiCert.