Microsoft has had users wondering what it was trying to achieve this week, following an update to its Defender anti-malware tool for Windows that removed two top-level (root) digital certificates, for unclear reasons.
Following the version 1.449.425.0 update, Defender flagged as "severe" and quarantined two DigiCert certificates as the Trojan:Win32/Cerdigent.A!dha, alarming users who thought their systems had been infected with malware.
This turned out to be a false positive, and it remains unclear whether the "Cerdigent" malware actually exists, or if it's just a name generated automatically.
The fix for the problem is easy, a simple matter of updating Defender with the 1.449.430.0 definition or later, which restores the DigiCert certificates.
Microsoft has yet to clarify why Defender did what it did, but cyber security researchers speculated that it could be due to a DigiCert staffer being hit with malware in a ZIP archive disguised as a customer screenshot, leading to a threat actor stealing initialisation codes.
Interesting detail: the last revoked #DigiCert code signing cert in that incident was on Apr 17
— Florian Roth ⚡️ (@cyb3rops) May 3, 2026
The Defender signature update that apparently started flagging/removing DigiCert AuthRoot entries came more than 10 days later
So I’m wondering what the intended mechanism was here.… https://t.co/LOEecDlxfl pic.twitter.com/GZ4OAoyPI8
That incident took place over two weeks ago, and the codes were used for 60 code-signing certificates, some of which were applied to malware such as the Zhong Stealer remote access tool.
However, the two root certificates from DigiCert were not part of the malware incident.
Blocklisted driver halts backups
The Defender update isn't the only one causing headaches for Windows users recently.
Its Windows updates that were pushed out on or after April 14 caused "certain third-party backup applications" to fail when attempting to mount or manage disk images.
Microsoft explained that this was due to vulnerable versions of the psmounterex.sys kernel driver being added to a blocklist.
Apart from failing to mount backup image files as virtual drives, users and IT administrators might experience timeouts when browsing said image files, or restoring from them, Microsoft said.
Microsoft referred to an advisory from 2023, for a 9.3 out of 10 rated vulnerability in the Macrium Reflect 8 application's psmounterex.sys kernel driver that security vendor Northwave said could potentially lead to a "complete loss of integrity of the system".
Other software affected by the backup problem include Acronis Cyber Protect Cloud, NinjaOne Backup and UrBackup server.
That bug has been present since at least 2019, but Microsoft did not explain why it took until April 2026 to add the vulnerable kernel driver to its blocklist.
Other notable update issues in recent times include October 2025 when the Windows 11 Recovery Enviroment (WinRE), which can be used to repair some software problems before the main operating system starts, became unusable after the KB5066385 patch was applied.
Meanwhile, the January 2026 set of security patches caused problems for users signing in, and wanting to shut down their machines, forcing Microsoft to release an out-of-band update with fixes.
_(39).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Data & AI Edition
.png&w=120&c=1&s=0)
iTnews Cloud Covered Breakfast Summit
iTnews State of Security Breakfast
The 2026 iAwards
.jpg&w=120&c=1&s=0)
Integrate 2026
_(1).jpg&h=140&w=231&c=1&s=0)
