Siemens recently notified its customers about a significant issue affecting the integration between Microsoft Defender Antivirus (MDAV) and its industrial process control systems, specifically Simatic PCS 7 and PCS Neo products. The core problem identified is that Microsoft Defender Antivirus currently lacks an “alert only” functionality in its configuration settings.
Under current configurations, if the antivirus is set to “ignore” threats, no alerts are generated for plant operators or administrators when malware is detected. This means malware could go unnoticed, potentially leading to undetected security risks. Conversely, if any other setting is used, Microsoft Defender may automatically delete or quarantine files flagged as malware—including false positives—which can disrupt operations if the system relies on those files.
“The result could be that affected devices will not work anymore, which can lead to loss of monitoring and control of the plant.”
Siemens is actively collaborating with Microsoft to address this limitation. In the meantime, Siemens advises customers to conduct a risk assessment to determine whether they prefer to be alerted about malware infections (with the risk of disruptions from file deletion) or to risk missing malware detections by using the “ignore” setting. As a mitigation strategy, Siemens recommends clustering impacted devices and applying different antivirus configurations to each cluster based on operational needs and risk tolerance.
This situation highlights the challenges of balancing security and operational continuity in industrial environments, especially where automated responses to malware detection can have significant real-world consequences.
