Microsoft Defender is reportedly flagging legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, according to BleepingComputer. The report says the false positive has generated widespread alerts and, in some cases, removed certificates from Windows systems.
False positives are a familiar operational headache, but certificate-related false positives carry a special kind of risk. Root certificates sit at the foundation of software signing, website trust, device enrollment, and enterprise authentication workflows. When a security tool mistakenly classifies a trusted certificate as malicious, administrators can face noisy alerts, broken trust chains, and uncertainty about whether they are looking at a real compromise or a detection-quality problem.
The incident also shows the tension built into modern endpoint security. Automated protection has to move fast enough to block active threats, but it also has to avoid damaging trusted infrastructure. Large enterprises increasingly rely on cloud-delivered security intelligence, which means a single bad signature or model decision can spread quickly across many machines. The speed that makes defenses useful can also amplify mistakes.
Why it matters
Security teams should treat this kind of event as a test of incident-response discipline. The right response is not to disable protection broadly, but to verify the vendor advisory, identify affected endpoints, document what was quarantined or removed, and restore trust stores through controlled channels if needed. Teams should also check whether certificate-dependent services, VPN clients, internal apps, or deployment pipelines experienced failures during the alert window.
For executives, the lesson is that security automation needs rollback plans just as much as detection coverage. Tools that protect the business can also interrupt it when quality control fails. Mature programs track both sides: how quickly threats are stopped and how quickly false positives are contained. Clear change records also help teams distinguish vendor mistakes from real certificate tampering during a busy alert cycle.
Header image: original SysBrix-generated abstract artwork; no third-party asset used.