Microsoft Defender Bug Generates False Malware Alerts on DigiCert Certificates, Disrupting Trust Stores
What Happened — A defect in Microsoft Defender’s detection engine mistakenly classified legitimate DigiCert code‑signing and TLS certificates as malware. The false positives caused Windows trust stores to block or remove these certificates, forcing IT teams to manually restore trust and investigate alerts.
Why It Matters for TPRM —
- False‑positive alerts can mask genuine threats, eroding confidence in endpoint security controls.
- Disruption of trusted certificate chains may break secure communications for SaaS, cloud, and on‑prem applications.
- Vendors that rely on DigiCert certificates (e.g., software publishers, cloud providers) could face service interruptions and reputational risk.
Who Is Affected — Enterprises across all sectors that use DigiCert‑issued certificates and run Microsoft Defender on Windows endpoints; particularly SaaS vendors, cloud‑hosted services, and software publishers.
Recommended Actions —
- Verify that your endpoint protection solution is running the latest Defender definition updates.
- Audit your Windows trust stores for missing or flagged DigiCert certificates and re‑import as needed.
- Review your certificate management process; consider adding a secondary validation step for any Defender‑generated alerts on certificates.
- Communicate with DigiCert and Microsoft support to confirm the fix is deployed in your environment.
Technical Notes — The bug stemmed from an erroneous heuristic in Defender’s malware‑signature database that matched certain DigiCert certificate hashes. No CVE was issued because the issue was a false positive, not a vulnerability. Affected data types were cryptographic certificates, not end‑user data. Source: TechRepublic