Introduction

Microsoft Defender Antivirus has been incorrectly flagging legitimate DigiCert root certificates as malware under the name Trojan:Win32/Cerdigent.A!dha. This false positive can trigger alerts, and in some cases, the certificates are automatically removed from the Windows certificate store, breaking secure connections to websites and services that rely on DigiCert-issued certificates. This guide walks you through verifying the alert, restoring affected certificates, and preventing future false positives.

What You Need

• A Windows 10 or Windows 11 machine with administrative privileges
• Access to the Microsoft Defender Antivirus interface (Windows Security app)
• An internet connection to download updated definitions (optional but recommended)
• The exact name of the flagged certificate (e.g., Trojan:Win32/Cerdigent.A!dha) shown in the alert
• Optional: A backup of your certificate store or a known-good DigiCert root certificate (download from DigiCert's official repository)

Step-by-Step Guide

Step 1: Confirm the False Positive Alert

When Microsoft Defender flags a certificate, you'll see a notification in the system tray or within the Windows Security app. To verify the alert:

1. Open the Windows Security app by clicking Start, typing "Windows Security", and pressing Enter.
2. Go to Virus & threat protection and click Protection history.
3. Look for an entry named Trojan:Win32/Cerdigent.A!dha under "Quarantined threats" or "Threats found".
4. Click the entry to view details. Check if the affected file is a certificate file (e.g., .cer or .crt) or a reference to a root certificate in the cert store.
5. Note the path or store location provided. If it points to a legitimate DigiCert certificate, proceed with the next steps.

Step 2: Restore the Certificate If Removed

If Defender has already removed the certificate, you need to restore it. Microsoft Defender automatically quarantines threats before removal, so the certificate may still be recoverable.

1. In the Protection history screen, locate the Trojan:Win32/Cerdigent.A!dha entry.
2. Click the entry, then choose Actions > Restore. Confirm when prompted.
3. If the certificate was permanently deleted (not quarantined), you must manually re-import it. Download the correct DigiCert root certificate from DigiCert's official list, then:
• Open Microsoft Management Console (MMC) by pressing Win + R, typing mmc, and pressing Enter.
• Go to File > Add/Remove Snap-in, choose Certificates, and select Computer account.
• Navigate to Trusted Root Certification Authorities > Certificates.
• Right-click the folder, choose All Tasks > Import, and follow the wizard to add the downloaded certificate.

Step 3: Add an Exclusion to Prevent Future Detection

To stop Defender from repeatedly flagging this certificate, add an exclusion for the specific file or path. Use caution—only exclude items you fully trust.

1. Open Windows Security and go to Virus & threat protection.
2. Under Virus & threat protection settings, click Manage settings.
3. Scroll to Exclusions and click Add or remove exclusions.
4. Click Add an exclusion and choose File.
5. Browse to the certificate file that was flagged (or the path shown in the alert). If the alert refers to a store location rather than a file, you may need to add an exclusion for the certificate's thumbprint or use a folder exclusion targeting C:\Windows\System32\catroot2 (but be aware this may reduce security).
6. Confirm the exclusion. Defender will no longer scan that file for malware.

Step 4: Update Microsoft Defender Definitions

Microsoft typically releases a definition update to correct false positives within a few hours or days. Ensure you have the latest definitions to prevent the issue from recurring.

1. In Windows Security, go to Virus & threat protection and click Check for updates under Virus & threat protection updates.
2. Alternatively, download the latest definitions manually from the Microsoft Security Intelligence site.
3. After updating, run a quick scan to verify that the false positive no longer appears.

Step 5: Verify Certificate Trust and Connectivity

After restoring and creating exclusions, confirm that affected certificates are trusted and your system can establish secure connections.

1. Open a command prompt as administrator and run certlm.msc to open the local machine certificate store.
2. Navigate to Trusted Root Certification Authorities > Certificates and locate the DigiCert root certificate you restored.
3. Double-click the certificate, go to the General tab, and verify that the status reads "This certificate is OK."
4. Test a secure connection to a DigiCert-verified site (e.g., https://www.digicert.com) using a web browser. If no security warnings appear, the certificate is properly trusted.

Step 6: Report the False Positive (If Still Occurring)

If the false positive persists even after updating definitions, report it to Microsoft for further analysis.

1. Go to the Microsoft Security Intelligence submission portal.
2. Select Submit a file for analysis.
3. Upload the certificate file (or provide the certificate details) and indicate that it is a false positive.
4. Include notes explaining that Microsoft Defender incorrectly flags the certificate as Trojan:Win32/Cerdigent.A!dha.

Tips for Avoiding Future Certificate False Positives

• Keep Defender updated: Always install the latest definition updates, as Microsoft frequently addresses false positives in new releases.
• Use exclusions sparingly: Only exclude files you are absolutely certain are legitimate. Periodically review your exclusions in Windows Security.
• Monitor certificate stores: Regularly check the Trusted Root Certification Authorities folder for missing or corrupted certificates—especially after major Windows updates.
• Leverage official sources: When restoring certificates, always download them from the issuing CA's official site (e.g., DigiCert) to avoid inadvertently installing malware.
• Enable cloud-delivered protection: In Windows Security settings, turn on Cloud-delivered protection and Automatic sample submission to help Microsoft quickly identify and correct false positives.
• Backup your certificate store: Use the certutil -exportPFX or MMC export tools to create a backup of your trusted root certificates. This makes recovery faster if a false positive wipes them out.