Windows Defender flagged our company digital certificate as Win32/Malgent
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 28.999999999999996%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Tigzy
0
Reputation points
Hello everyone,
We are a legitimate software publisher (adlice), and all our applications are digitally signed with an EV code signing certificate.
Recently, Microsoft Defender started detecting binaries signed with our certificate as Trojan:Win32/Malgent. Even though Microsoft fixed the original false positive file by file (hash exclusions), the problem seems to persist — any new file signed with our certificate gets detected again as soon as it’s released.
This is causing repeated quarantines, failed updates, and general trust issues with our signed products.
We are looking for advice or experiences from anyone who has dealt with similar certificate-based false positives in Defender.
- Is there a way to rebuild reputation or reset the certificate’s trust in Microsoft Defender’s cloud?
- Should we contact a specific Microsoft team or follow a particular process for allow-listing?
If anybody from Microsoft can help us escalating this issue, I would appreciate.
Any help, insight, or contact point would be greatly appreciated.
Thank you, Julien
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
{count} votes
-
Tigzy 0 Reputation points
2025-11-05T16:48:48.74+00:00 Adding some context. How do I know the certificate is targeted ?
Because we simply signed Microsoft's "Signablefile.bin" and uploaded to VirusTotal => It gets detected by Microsoft as Win32/Malgent. That file has no code, it's a dummy file that is trusted and emitted by Microsoft. Only the certificate we used changes what the file is.
Sign in to comment
Sign in to answer