Siemens informed customers that it’s working with Microsoft to address an issue related to Microsoft Defender Antivirus (MDAV) and Simatic PCS products.

According to the advisory published by the industrial giant, the problem is that Defender Antivirus currently does not provide ‘alert only’ functionality.

Siemens’ documentation for Simatic PCS 7 and PCS Neo process control systems describes Microsoft Defender Antivirus configurations for specifying threat alert levels at which no default action is taken when a threat is detected.

The problem is that if the product is set to ‘ignore’, then no action is taken and no alert is generated for the plant operator and administrator when malware is detected.

If a different setting is used, Defender Antivirus may delete or quarantine files flagged as potential malware (both true and false positives), which can lead to disruptions if the system is relying on the potentially infected file.

“The result could be that affected devices will not work anymore, which can lead to loss of monitoring and control of the plant,” Siemens explained.

Until the company works out a solution with Microsoft, plant managers relying on Simatic PCS are advised to conduct a risk assessment to determine whether they want to be alerted about malware infections, or risk disruptions if the antivirus deletes potentially important files.

Customers can cluster impacted devices and apply different configurations to each cluster depending on their needs and requirements.

‍

Source: https://www.securityweek.com/siemens-notifies-customers-of-microsoft-defender-antivirus-issue/