Siemens Desigo CC Files Trigger False Positive Malware Alerts

Siemens has acknowledged that files related to its Desigo CC building automation platform are being incorrectly flagged as malicious by multiple security engines. The issue stems from a PowerShell script included in recent patch files, which is triggering antivirus and endpoint detection responses despite being legitimate.

The false positive alerts affect Desigo CC, a platform used for managing building infrastructure such as HVAC, lighting, and access control. While no active exploitation has been reported, the widespread detection could cause operational friction, particularly for security teams triaging alerts in environments where the software is deployed.

The problematic script is part of patch distribution packages intended to keep the Desigo CC platform updated. Security engines are interpreting the script's behavior — likely its use of PowerShell commands or network communication patterns — as indicative of malware, leading to quarantine or blocking actions.

Siemens has not yet released a specific patch or configuration change to suppress these false positives. Organizations running Desigo CC are advised to review the affected patch files against Siemens' official documentation and whitelist the identified scripts in their security tools to avoid disruption to building management operations.

The broader context here is the persistent challenge of distinguishing benign administrative scripts from actual threats, a problem that has grown as attackers increasingly weaponize PowerShell and other living-off-the-land binaries. Siemens' transparency about the issue helps reduce unnecessary alarm, but it underscores the need for endpoint detection rules that can handle legitimate automation scripts without generating noise.