Share via

'Cerdigent' high-severity malware was detected

Sayed Ayaan Hussain 25 Reputation points
2026-05-03T11:53:56.0733333+00:00

We have observed multiple incidents from this titled incident. In this incident we are observing this 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4' and 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43' have been deleted by the msmpeng.exe from the user nt authority\system

please find more details below:

Registry Key Events:

msmpeng.exe deleted registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43'

msmpeng.exe deleted registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4'

Threat name: Trojan:Win32/Cerdigent.A!dha

Remediation action: Quarantined successful

user: nt authority\system

processes: wininit.exe > services.exe > msmpeng.exe > Registry modification

User's image

User's image

Please let me know the issue solution for this, explain this why it was occurring.

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sunil Vishwakarma 5 Reputation points
    2026-05-03T12:38:18.1166667+00:00

    This appears to be a false positive alert. The detected alert is related to a DigiCert certificate, and after validation, the certificate issuer and other details were found to be correct. This is officially published Digi Cert Root CA hash on DigiCert website.

    rootcert: DDFB16CD4931C973A2037D3FC83A4D7D775D05E4

    DigiCert Trusted Root Authority Certificates

     

    Was this answer helpful?

    10+ people found this answer helpful.
    0 comments
  2. Rukmini 40,055 Reputation points Microsoft External Staff Moderator
    2026-05-04T01:17:23.6966667+00:00

    Hello Sayed Ayaan Hussain

    As mentioned by Sunil Vishwakarma this has been validated as a false positive detection from Microsoft Defender for Endpoint. The alert is associated with a DigiCert root certificate, and the thumbprint DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 matches an officially published and trusted certificate from DigiCert.

    After discovering Trojan:Win32/Cerdigent.A!dha, Defender's automated remediation method included the removal of registry keys under ROOT and AuthRoot by msmpeng.exe. Nevertheless, this behavior is verified to be incorrect detection rather than a real security breach because the certificate is legitimate.

    • Defender signatures update to the most recent version
    • Windows update/certificate sync will be used to restore trusted root certificates, and the environment is being monitored for recurrence.

    Refer https://knowledge.digicert.com/general-information/digicert-trusted-root-authority-certificates

    Was this answer helpful?

    5 people found this answer helpful.
    0 comments
  3. Q&A Assist
    2026-05-03T11:54:14.9466667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The behavior is expected and indicates that Microsoft Defender Antivirus successfully remediated the detected Trojan and reverted malicious certificate changes.

    What is happening

    • The detection Trojan:Win32/Cerdigent.A!dha triggered Microsoft Defender Antivirus (engine process MsMpEng.exe).
    • Defender identified malicious or unwanted content associated with system certificate store entries under:
      • HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
      • HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
    • As part of remediation, MsMpEng.exe (running as NT AUTHORITY\SYSTEM) deleted those registry keys. This is logged as RegistryKeyDeleted events with the process chain wininit.exe > services.exe > MsMpEng.exe.
    • The threat action shows Remediation action: Quarantined successful, meaning Defender quarantined the malicious components and then cleaned related artifacts (in this case, certificate entries).

    Why Defender is modifying these registry keys

    • When malware is detected, Defender not only removes files but also restores or cleans system settings that may have been modified by the threat.
    • According to the Defender troubleshooting documentation, when malware is detected, Defender and related tools can restore or adjust security‑relevant system settings and services that were changed by malware, including certificate‑related configuration and other core OS components.
    • The registry path HKLM\SOFTWARE\Microsoft\SystemCertificates\... is where Windows stores trusted root and intermediate certificates. Malware can add or tamper with certificates there to:
      • Trust a malicious root CA
      • Intercept or spoof TLS connections
      • Bypass security checks
    • Defender therefore removes suspicious or malicious certificate entries as part of the remediation workflow. This is recorded as an action taken by the antimalware platform.

    How to interpret the events

    • Event type: Malware detected and action taken by Microsoft Defender Antivirus.
    • Relevant event IDs in Defender logs:
      • MALWAREPROTECTION_MALWARE_DETECTED / MALWAREPROTECTION_STATE_MALWARE_DETECTED (malware found).
      • MALWAREPROTECTION_MALWARE_ACTION_TAKEN / MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN (clean, quarantine, remove, block, etc.).
    • These events include:
      • Threat name and ID
      • Severity and category
      • Detection origin and type (for example, heuristics, generic, dynamic signature)
      • Detection source (real‑time, system, user, NIS, etc.)
      • Action taken (Clean, Quarantine, Remove, Block, etc.) and status
    • In this case, the action is successful, so no additional remediation is required from the endpoint side.

    What to do next

    1. Confirm Defender remediation status
      • Review the corresponding malware detection events (IDs 1006/1116 for detection and 1007/1117 for action taken) to verify that the status is successful and the action is Quarantine/Remove.
    2. Check for further related alerts
      • In Microsoft Defender for Cloud / Defender for Endpoint, review any additional alerts on the same host (for example, suspicious behavior, registry changes, or use of tools like certutil.exe) to ensure there is no remaining persistence.
    3. Validate system behavior
      • Confirm that critical services and normal certificate‑based operations (Windows Update, TLS to internal services, etc.) are functioning. Defender’s remediation is designed to protect the system and should not require manual rollback.

    In summary, the registry deletions by MsMpEng.exe are Defender’s normal remediation actions against the Trojan:Win32/Cerdigent.A!dha infection, cleaning malicious certificate entries from the system certificate stores after the threat was detected and quarantined.

    References:

    Was this answer helpful?

    5 people found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.