Page Comparison

Updates

Update 4: We are awaiting official confirmation, but the 5: Newer updates to Microsoft Security Intelligence version , starting at 1.403.516.0 seems to have included an update to the “PUA:Win32/SpeedChecker” definition. Our internal tests show that with exclusions disabled, we are not seeing new alerts on clients using the tested version 1.403.540.0. Official recommendation remains to pause updates until clarification comes from SE. Microsoft Security Intelligence update details here: https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.403.516.0 870 (21 Dec 2023) and onwards, seem to have resolved the issue as specified by SE here: https://community.se.com/t5/Geo-SCADA-Knowledge-Base/Microsoft-Update-Testing/ba-p/279120 Please update to the latest Security Intelligence version to avoid additional conflicts. It is still recommended to follow the exceptions as specified in the Schneider-provided article here: https://community.se.com/t5/Geo-SCADA-Knowledge-Base/Anti-malware-Configuration/ba-p/278735

Update 4: Subsequent updates to Microsoft Security Intelligence are still not allowing Geo SCADA to proceed unhindered, with SE and Microsoft still working on the issue. The guidance is still to refrain from updates before 14 December and/or to establish exceptions in the security software for Geo SCADA. Please refer to the following guide for a discussion on exclusions for anti-malware software: https://community.se.com/t5/Geo-SCADA-Knowledge-Base/Anti-malware-Configuration/ba-p/278735

Update 3: Microsoft is aware of the issue and will include a correction in an upcoming update to Defender Security Intelligence. We are awaiting confirmation of the appropriate version we should watch for. In addition, Schneider Electric is working on resolving this in the December 2023 releases of Geo SCADA 2020/2021/2022 by utilizing a different digital signature on their software components. The December 2023 release will be made available as soon as possible.

Update 2: Schneider Electric has updated the Microsoft Update testing page to indicate the known issue with Defender here: https://community.se.com/t5/Geo-SCADA-Knowledge-Base/Microsoft-Update-Testing/ba-p/279120

Update 1: Please review SE’s post on the official EcoStruxure Geo SCADA Expert Forum here: https://community.se.com/t5/EcoStruxure-Geo-SCADA-Expert/Windows-Defender-update-falsely-detects-some-Geo-SCADA-files/td-p/457549

Affected

Software Versions

Geo SCADA releases made from December 2022 to September 2023 inclusive, including versions of 2019, 2020, 2021 and 2022.

Original Announcement

As of Thursday 14 December 2023, AUTOSOL has been made aware of Schneider Electric EcoStruxure Geo SCADA Expert software components being flagged by Microsoft Defender XDR as malware. Specifically, “PUA:Win32/SpeedChecker”.

While we are still investigating, we encourage all our customers to review their security software update process and see if it’s possible to avoid updating Microsoft Defender XDR (and the security intelligence updates) on their OT networks until we receive additional guidance from Microsoft and Schneider Electric.

The consequences of the update result in the possible quarantine of the Geo SCADA Expert processes required for operation. Exclusion of the Geo SCADA install directories should mitigate this issue. However, recovery after automatic quarantining of the processes may be difficult without reinstalling Geo SCADA.

Recovery

If your system(s) were affected by this, please attempt the following:

• Exclude the Geo SCADA install directories on the machine from Microsoft Defender’s scans. This can be done from the “Virus & threat protection settings” section of Windows settings.

• Attempt to ‘revert’ the changes using the “Virus and threat protection” section of Windows settings.

• Run the Geo SCADA installer and ‘repair’ the services.

More Information

The specific Security Intelligence update is documented here:https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.403.485.0

Guidance from Schneider Electric will be posted on the Schneider Electric website here:

https://community.se.com/t5/EcoStruxure-Geo-SCADA-Expert/Windows-Defender-update-falsely-detects-some-Geo-SCADA-files/td-p/457549

https://community.se.com/t5/Geo-SCADA-Knowledge-Base/Microsoft-Update-Testing/ba-p/279120

Please see the below links for official recommendations on anti-virus exclusions on production environments:

Geo SCADA Knowledge Base: https://community.se.com/t5/Geo-SCADA-Knowledge-Base/Anti-virusmalware-Scan-ExclusionsConfiguration/ba-p/278735

Geo SCADA 2022 Help File (article ‘Anti-virus Scan Exclusions’): https://tprojects.schneider-electric.com/GeoSCADAHelp/Geo%20SCADA%202020/Default.htm#ServerAdministrationGuide/Anti-virusScanExclusions.htm

This post will be updated as more information becomes available.

ACM versions 9.1 and later will automatically work with versions of Windows that have been updated with the DCOM Hardening security changes. However, ACM settings can be customized to run ACM 9.1 and later without the DCOM Hardening changes. ACM 9.1 is scheduled to be released late spring 2023.

If you have ACM 9.0.X or earlier, you can also use ACM settings to run ACM in a DCOM Hardened environment.

The instructions to do so are found here: ACM and Windows DCOM Hardening

More information from AUTOSOL about DCOM Hardening are in the post dated 31-May-2022.

Should more information be required, please contact your salesperson or AUTOSOL support.