Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
title14-Dec-2023 - Microsoft Defender XDR Security Intelligence Update affecting Geo SCADA Expert

Updates

Update 4: We are awaiting official confirmation, but the Microsoft Security Intelligence version 1.403.516.0 seems to have included an update to the “PUA:Win32/SpeedChecker” definition. Our internal tests show that with exclusions disabled, we are not seeing new alerts on clients using the tested version 1.403.540.0. Official recommendation remains to pause updates until clarification comes from SE. Microsoft Security Intelligence update details here: https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.403.516.0

Update 3: Microsoft is aware of the issue and will include a correction in an upcoming update to Defender Security Intelligence. We are awaiting confirmation of the appropriate version we should watch for. In addition, Schneider Electric is working on resolving this in the December 2023 releases of Geo SCADA 2020/2021/2022 by utilizing a different digital signature on their software components. The December 2023 release will be made available as soon as possible.

Update 2: Schneider Electric has updated the Microsoft Update testing page to indicate the known issue with Defender here: https://community.se.com/t5/Geo-SCADA-Knowledge-Base/Microsoft-Update-Testing/ba-p/279120

Update 1: Please review SE’s post on the official EcoStruxure Geo SCADA Expert Forum here: https://community.se.com/t5/EcoStruxure-Geo-SCADA-Expert/Windows-Defender-update-falsely-detects-some-Geo-SCADA-files/td-p/457549

Affected software versions

Geo SCADA releases made from December 2022 to September 2023 inclusive, including versions of 2019, 2020, 2021 and 2022.

Original Announcement

As of Thursday 14 December 2023, AUTOSOL has been made aware of Schneider Electric EcoStruxure Geo SCADA Expert software components being flagged by Microsoft Defender XDR as malware. Specifically, “PUA:Win32/SpeedChecker”.

While we are still investigating, we encourage all our customers to review their security software update process and see if it’s possible to avoid updating Microsoft Defender XDR (and the security intelligence updates) on their OT networks until we receive additional guidance from Microsoft and Schneider Electric.

The consequences of the update result in the possible quarantine of the Geo SCADA Expert processes required for operation. Exclusion of the Geo SCADA install directories should mitigate this issue. However, recovery after automatic quarantining of the processes may be difficult without reinstalling Geo SCADA.

Recovery

If your system(s) were affected by this, please attempt the following:

  • Exclude the Geo SCADA install directories on the machine (and preferably the OT network).

  • Attempt to ‘revert’ the changes using the “Virus and threat protection” section of Windows settings.

  • Run the Geo SCADA installer and ‘repair’ the services.

More Information

The specific Security Intelligence update is documented here:https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.403.485.0

Guidance from Schneider Electric will be posted on the Schneider Electric website here:

https://community.se.com/t5/EcoStruxure-Geo-SCADA-Expert/Windows-Defender-update-falsely-detects-some-Geo-SCADA-files/td-p/457549

https://community.se.com/t5/Geo-SCADA-Knowledge-Base/Microsoft-Update-Testing/ba-p/279120

Please see the below links for official recommendations on anti-virus exclusions on production environments:

Geo SCADA Knowledge Base: https://community.se.com/t5/Geo-SCADA-Knowledge-Base/Anti-virus-Scan-Exclusions/ba-p/278735

Geo SCADA 2022 Help File (article ‘Anti-virus Scan Exclusions’): https://tprojects.schneider-electric.com/GeoSCADAHelp/Geo%20SCADA%202020/Default.htm#ServerAdministrationGuide/Anti-virusScanExclusions.htm

This post will be updated as more information becomes available.

...