Siemens has identified that the Microsoft Defender Antivirus (MDAV) currently does not offer an "Alert only" functionality. With MDAV setting "Ignore" (6), no alert is generated, and all other settings result in loss of access to the potentially infected file.

Siemens therefore points out that the current specification in the “SIMATIC PCS 7 Compendium Part F” [1, chapter 10.5] and "Industrial Security in SIMATIC PCS neo" [2, chapter 11.3], for the group policy object (GPO) "Specifying threat alert levels at which no default action should be taken if the threats are detected" causes neither a reaction to nor an information about malware detection that could be processed by other connected systems (like SIEM software or, in case of SIMATIC PCS 7, SIMATIC Management Console (SMMC)).

Application or system instability and/or crashes can be caused by:

• Malware.
• Reaction of antivirus software to detected potential malware (true positive or false positive) that could block the access to the file.

The trouble-free availability of customer systems is extremely important to Siemens. Therefore, Siemens recommends clustering the devices into specific categories and using different antivirus scanner behavior settings depending on the cluster, see “Managing Endpoint Security Solutions” [3, chapter 4.4].

Siemens is in close contact with Microsoft to find a solution. Currently two options have been identified:

• By using the settings described in the “SIMATIC PCS 7 Compendium Part F” [1] and "Industrial Security in SIMATIC PCS neo" [2] the plant operator and the plant administrator will get no information about a detected malware.
• By using other settings, a risk exists that MDAV deletes or moves files to quarantine. The result could be that affected devices will not work anymore, which can lead into loss of monitoring and control of the plant.

These different options present a risk for a specific plant.

Siemens recommends that the plant responsible manager conducts a specific risk assessment in advance to determine which option is appropriate for the respective situation regarding availability and cyber security.

Based on the specific results of this risk assessment the plant responsible manager is in charge of implementing the above-mentioned option themselves. If the first alternative is chosen, Siemens recommends implementing additional security measures for these devices.

Siemens is in close contact with Microsoft for further diagnosis and possible solutions; Siemens will provide additional information as soon as available.

[1] https://support.industry.siemens.com/cs/document/109988160
[2] https://support.industry.siemens.com/cs/document/109988873
[3] https://support.industry.siemens.com/cs/document/109978378