Endpoint/Device Security Microsoft Defender false positives trigger DigiCert certificate alerts May 4, 2026 Share By SC Staff (Adobe Stock) Microsoft Defender is incorrectly identifying legitimate DigiCert root certificates as malware, leading to widespread false-positive alerts and, in some instances, the removal of these critical certificates from Windows systems. This issue began after a Defender signature update on April 30th, causing administrators globally to report the erroneous detections and removals from the Windows trust store, based on information published by Bleeping Computer. The false positives involved specific DigiCert root certificates, identified by their SHA-1 hashes, which were flagged as Trojan:Win32/Cerdigent.A!dha. This led to concern among users, with some resorting to reinstalling their operating systems. Microsoft has since released updates to its security intelligence, version 1.449.430.0 and later, which reportedly resolve the issue and restore removed certificates. The timing of these false positives coincides with a recently disclosed DigiCert security incident where threat actors obtained valid code-signing certificates. While the Defender detections targeted root certificates and not the specific code-signing certificates used in malware campaigns, the proximity of events suggests a potential, though unconfirmed, link. The DigiCert incident involved a breach of a customer support team member's device, allowing attackers to acquire initialization codes for code-signing certificates, which were then used to sign malware, including the Zhong Stealer campaign. Source: Bleeping Computer SC Staff Related Endpoint/Device Security Windows security warnings for RDP files may display incorrectly SC Staff April 29, 2026 The security warning dialogs, intended to protect users from malicious RDP files, are not displaying correctly on affected systems. Endpoint/Device Security CrowdStrike and Tenable address critical vulnerabilities in security products SC Staff April 27, 2026 CrowdStrike issued an advisory for CVE-2026-40050, a critical unauthenticated path traversal vulnerability impacting its LogScale product. Threat Management Medtronic says cyberattack did not disrupt its operations Steve Zurier April 27, 2026 Attack raised concerns because it was second one on a major medical device maker since the Iran war started. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Anti-Malware Antivirus Software Bring Your Own Device (BYOD) Ephemeral Port Extranet Endpoint Security Firmware Keylogger Registry You can skip this ad in 5 seconds