Desigo CC patch files are identified as malicious by different antivirus solutions. Affected are various patch files for Desigo CC versions V7 to V9. Subsequent verification via VirusTotal confirmed that the affected files are being classified as malicious by multiple security engines. VirusTotal is a website to scan files by multiple antivirus/security engines at once. After internal analysis the reported detections were identified as false-positives. Siemens is working on reaching out to antivirus vendors to resolve the incorrect file classification.

Since Desigo CC software provided by Siemens is always digitally signed (unless otherwise agreed), customers should always verify the validity of the provided digital signatures before installation to prevent supply chain attacks.

The following finding has been identified:

Status: Under Investigation

• Both legacy and recent Desigo CC patch files (Desigo CC V7 to Desigo CC V9) are being marked as malicious by multiple scan engines in VirusTotal. Siemens is working on reaching out to antivirus vendors to classify this as a false-positive

• Each Desigo CC patch includes a "patchHelper" PowerShell script compiled as executable
• The "patchHelper" is part of the patch installation process
• This script has remained unchanged for several months however, it is now being identified as malicious by multiple antivirus vendors

It is assumed that the behavior of the script has recently been reclassified as suspicious or malicious by security engines, potentially due to activities such as:

• File system operations
• Registry modifications
• Execution with elevated privileges

All those activities are part of the patch installation process.

"All relevant files were manually compared to the development repositories. No differences or malicious modifications were found. In addition, the digital signatures were verified as valid and showed no indications of manipulation."