Windows Defender update falsely detects some Geo SCADA files

sbeadle · ‎2023-12-15

Dear All,

I have had notifications that the latest release of Windows Defender updates (14-Dec-2023) identifies some Geo SCADA server/client files as suspicious and may quarantine them. I think it would be wise to hold off on these latest Defender updates until more is known.

From time to time an anti-virus program will have a false positive, and the fix will need to be put into Windows Defender.

Please read below and see MS Updates which will be adjusted with new information.

Thanks

Steve

sbeadle · ‎2023-12-21

The Geo SCADA team have concluded the issue, and updated the KB page:

https://community.se.com/t5/Geo-SCADA-Knowledge-Base/Microsoft-Update-Testing/ba-p/279120

Updates from December 21st 2023 onwards are passing tests successfully.

See Answer In Context

AntonioIacoviello · ‎2023-12-15

This is impacting Plant SCADA and Citect and potentially EPO

AntonioIacoviello · ‎2023-12-15

We have create this alert.

aosburn · ‎2023-12-15

Thank you Steve for the update!

sbeadle · ‎2023-12-15

There is an update on the Geo SCADA KB page:

MS Updates

du5tin · ‎2023-12-15

Did some testing with the latest definition update from MS this morning (version 1.403.540.0, KB2267602) and after applying Windows Defender no longer identifies Geo SCADA 2022 executables as dangerous. We are assuming MS corrected this in the latest definition update and the definitions from 1:02am Dec 14 will identify a false positive.

du5tin · ‎2023-12-15

With the latest MS Windows Defender definitions from this morning (KB2267602, v1.403.540.0) it appears this is resolved. The Geo SCADA 2022 executables no longer identify as dangerous. Looks like it was a false positive from Microsoft.

sbeadle · ‎2023-12-16

Just looking now, and the MS a/v definitions 1.403.585.0 mention an update for the Speedcheck detection. I just tried that version and it didn’t flag an issue with SetupLauncher, so it seems to indicate that MS have fixed it. Verification still needed though.

JChamberlain1 · ‎2023-12-17

Still affecting me with 1.403.674.0

sbeadle · ‎2023-12-18

Update Note:

Problems are still being seen with A/V definition updates 1.403.693.0

Microsoft are still reviewing.

sbeadle · ‎2023-12-21

The Geo SCADA team have concluded the issue, and updated the KB page:

https://community.se.com/t5/Geo-SCADA-Knowledge-Base/Microsoft-Update-Testing/ba-p/279120

Updates from December 21st 2023 onwards are passing tests successfully.

StanleyK · ‎2024-01-11

Hello,

we also had the same problem with ESET Endpoint Security.

sbeadle · ‎2024-01-11

Hi Stanley,

Please can you advise more about what ESET is reporting?

Which files

Which Geo SCADA version

Which ESET version

Which virus name

You can advise me using my se.com email address.

Kind regards,

Steve

PetrDorusak123 · ‎2024-01-19

Hello,

We have same problem with Eset File Server v10.0.12014.0

GeoSCADA Expert 2022 (Build 85.8469) March 2023 Update

Eset marked this files as suspicious and deleted them:

C:\Program Files (x86)\Schneider Electric\ClearSCADA\SE.Scada.ViewX.exe

C:\Program Files\Schneider Electric\VirtualViewX\bin64\ClearScada.Client.dll

I had to setup exception in Detection Core and in Cloud protection.

Kind regards,

Petr Dorušák

StanleyK · ‎2024-01-22

Hello Petr,

these files have been reported to Eset support center ([KB141] Submit a virus, website, or potential false positive sample to the ESET Research Lab) and they should add it to excentions in the next virus database update.

PetrDorusak123 · ‎2024-01-23

Hello Stanley,

thanks for good news.

Have a nice day

Petr