Siemens has identified that older versions of the Microsoft Defender Antivirus (MDAV) do not offer an "Alert only" functionality. With MDAV setting "Ignore" (6), no alert is generated, and all other settings result in loss of access to the potentially infected file.

Siemens therefore points out that the specification in older versions of the “SIMATIC PCS 7 Compendium Part F” [1, chapter 10.5] and "Industrial Security in SIMATIC PCS neo" [2, chapter 11.3], for the group policy object (GPO) "Specifying threat alert levels at which no default action should be taken if the threats are detected" causes neither a reaction to nor an information about malware detection that could be processed by other connected systems (like SIEM software or, in case of SIMATIC PCS 7, SIMATIC Management Console (SMMC)).

Application or system instability and/or crashes can be caused by:

• Malware.
• Reaction of antivirus software to detected potential malware (true positive or false positive) that could block the access to the file.

With newer versions of Microsoft Defender Antivirus (platform version 4.18.26010.5 and later), an additional remediation option "None" (11) has been introduced. This option does not delete files and does not move them to quarantine. Instead, a detection event is generated, which enables monitoring and further processing by connected systems (e.g. SIEM software or SIMATIC Management Console).

The trouble-free availability of customer systems is extremely important to Siemens. Therefore, Siemens recommends clustering the devices into specific categories and using different antivirus scanner behavior settings depending on the cluster, see “Managing Endpoint Security Solutions” [3, chapter 4.4].

Currently three options have been identified:

• By using the remediation option "None" (11) (available in MDAV versions starting from platform version 4.18.26010.5) described in the “SIMATIC PCS 7 Compendium Part F” Edition 05/2026 and newer [1] and "Industrial Security in SIMATIC PCS neo" Edition 04/2026 and newer [2], no automatic remediation (such as deletion or quarantine) is performed. However, a detection event is generated and can be used for monitoring purposes. This allows visibility of potential malware detections without impacting file availability.
• By using the settings described in the “SIMATIC PCS 7 Compendium Part F” Edition 01/2025 and older [1] and "Industrial Security in SIMATIC PCS neo" Edition 05/2025 and older [2] the plant operator and the plant administrator will get no information about a detected malware.
• By using other settings, a risk exists that MDAV deletes or moves files to quarantine. The result could be that affected devices will not work anymore, which can lead into loss of monitoring and control of the plant.

Siemens recommends that the plant responsible manager conducts a specific risk assessment in advance to determine which option is appropriate for the respective situation regarding availability and cyber security.

Based on the specific results of this risk assessment the plant responsible manager is in charge of implementing the above-mentioned option themselves. If the second alternative is chosen, Siemens recommends implementing additional security measures for these devices.

[1] https://support.industry.siemens.com/cs/document/110002446
[2] https://support.industry.siemens.com/cs/document/110002046
[3] https://support.industry.siemens.com/cs/document/109978378