Siemens has identified that the Microsoft Defender Antivirus (MDAV) currently does not offer an "Alert only" functionality. With MDAV setting "Ignore" (6), no alert is generated, and all other settings result in loss of access to the potentially infected file.
Siemens therefore points out that the current specification in the “SIMATIC PCS 7 Compendium Part F” [1, chapter 10.5] and "Industrial Security in SIMATIC PCS neo" [2, chapter 11.3], for the group policy object (GPO) "Specifying threat alert levels at which no default action should be taken if the threats are detected" causes neither a reaction to nor an information about malware detection that could be processed by other connected systems (like SIEM software or, in case of SIMATIC PCS 7, SIMATIC Management Console (SMMC)).
Application or system instability and/or crashes can be caused by:
The trouble-free availability of customer systems is extremely important to Siemens. Therefore, Siemens recommends clustering the devices into specific categories and using different antivirus scanner behavior settings depending on the cluster, see “Managing Endpoint Security Solutions” [3, chapter 4.4].
Siemens is in close contact with Microsoft to find a solution. Currently two options have been identified:
These different options present a risk for a specific plant.
Siemens recommends that the plant responsible manager conducts a specific risk assessment in advance to determine which option is appropriate for the respective situation regarding availability and cyber security.
Based on the specific results of this risk assessment the plant responsible manager is in charge of implementing the above-mentioned option themselves. If the first alternative is chosen, Siemens recommends implementing additional security measures for these devices.
Siemens is in close contact with Microsoft for further diagnosis and possible solutions; Siemens will provide additional information as soon as available.
[1] https://support.industry.siemens.com/cs/document/109988160 [2] https://support.industry.siemens.com/cs/document/109988873 [3] https://support.industry.siemens.com/cs/document/109978378
The use of Siemens Security Bulletins is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.