Siemens Desigo CC Patch Files Falsely Flagged as Malware by Antivirus Engines
Siemens warns that patch files for its Desigo CC building management system are being falsely flagged as malicious by multiple antivirus engines due to a PowerShell script compiled as an executable.
Siemens is alerting customers that patch files for its Desigo CC building management system are being erroneously detected as malware by numerous cybersecurity solutions. The false positives affect Desigo CC versions 7 through 9, as confirmed by tests on VirusTotal. The industrial giant has assured users that the files are unmodified and digitally signed, and it is working with cybersecurity vendors to correct the misclassifications.
Desigo CC is a centralized platform that integrates HVAC, lighting, security, fire safety, power, and other building subsystems into a single open interface for monitoring and control. The false-positive detections stem from a PowerShell script compiled as an executable within a tool called 'patchHelper' that ships with Desigo CC patches. Siemens believes that the script's file system operations, registry modifications, and execution with elevated privileges are being flagged as suspicious or malicious by security engines.
Interestingly, Siemens noted that the script has remained unchanged for several months but has only recently begun triggering antivirus alerts. The company conducted a thorough investigation, manually comparing all relevant files against development repositories. 'No differences or malicious modifications were found. In addition, the digital signatures were verified as valid and showed no indications of manipulation,' Siemens stated in its advisory.
This is not the first time Siemens has encountered issues with third-party cybersecurity solutions. Last year, the company notified customers of a problem affecting Microsoft Defender Antivirus and its Simatic PCS products. The recurring nature of such false positives highlights the challenges industrial control system vendors face when their legitimate software tools employ behaviors that overlap with those of malware.
For Desigo CC users, the immediate risk is operational disruption rather than security compromise. If antivirus software quarantines or deletes the patch files, critical updates may fail to install, potentially leaving systems exposed to genuine vulnerabilities. Siemens advises customers to verify the digital signatures of the patch files and, if confirmed valid, to whitelist them in their security software until the false-positive issue is resolved.
The incident underscores a broader tension in industrial cybersecurity: legitimate administrative tools often use PowerShell scripts, registry edits, and privilege escalation—techniques that security products are trained to block. As building management systems become more connected and targeted by attackers, the industry must find ways to distinguish benign vendor tools from actual threats without disrupting operations.