Preface 1

2
SIMATIC Prozessleitsystem PCS 7 Konfiguration Trend Micro Office Scan V7.3 incl. Patch 2

______________
Managing virus scanners

______________
Practical information 3
SIMATIC

Security Concept PCS 7 & WinCC

(Detail)
Administration of Virus Scanners

Whitepaper

08/2009
A5E02657556-01
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.

CAUTION
without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.

NOTICE
indicates that an unintended result or situation can occur if the corresponding information is not taken into
account.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The device/system may only be set up and used in conjunction with this documentation. Commissioning and
operation of a device/system may only be performed by qualified personnel. Within the context of the safety notes
in this documentation qualified persons are defined as persons who are authorized to commission, ground and
label devices, systems and circuits in accordance with established safety practices and standards.
Proper use of Siemens products
Note the following:

WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be adhered to. The information in the relevant documentation must be observed.

Trademarks
All names identified by ® are registered trademarks of the Siemens AG. The remaining trademarks in this
publication may be trademarks whose use by third parties for their own purposes could violate the rights of the
owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.

Siemens AG A5E00496669-06 Copyright © Siemens AG 2009.

Industry Sector Ⓟ 04/2009 Technical data subject to change
Postfach 48 48
90026 NÜRNBERG
GERMANY
Table of contents

1 Preface ...................................................................................................................................................... 5
1.1 Structure and organization of the document..................................................................................5
1.2 Special notes..................................................................................................................................5
2 Managing virus scanners ........................................................................................................................... 7
2.1 Definitions ......................................................................................................................................7
2.2 Using virus scanners......................................................................................................................8
2.3 Basic virus scanner architecture ....................................................................................................9
2.4 Strategy for distributing virus signatures......................................................................................10
2.5 Configuration of virus scanners ...................................................................................................11
2.6 Approved virus scanners for PCS 7 and WinCC .........................................................................12
3 Practical information ................................................................................................................................ 13

Security Concept PCS 7 & WinCC (Detail); Administration of Virus Scanners

Whitepaper, 08/2009, A5E02657556-01 3
Preface 1
1.1 Structure and organization of the document
The Security Concept PCS 7 & WinCC consists of several parts:

● The basic document is a central overview and guide for the Security Concept PCS 7
& WinCC.
It provides a systematic description of the basic principles and strategies of the security
concept. Users should have appropriate knowledge of the basic document to understand all
additional detail documents.

● The detail documents (such as this document) explain the specific principles,
solutions and their recommended configuration in detail form, focusing on particular detail
topics. The detail documents are supplemented, updated and provided separately to
ensure they are always up-to-date.

1.2 Special notes

Objective of the Security Concept PCS 7 & WinCC

Top priority priority is given in automation engineering to maintaining production and process
control. Any measures taken to prevent the propagation of security risks must not have
negative impact in this context.
The Security Concept PCS 7 & WinCC is designed to ensure that only authenticated users
can manipulate authenticated devices in the framework of their assigned and authorized
operating options. These operations should only be performed via defined and planned
access routes to ensure safe production or coordination of a job without danger to humans,
the environment, product, goods to be coordinated and the business of the enterprise.
The Security Concept PCS 7 & WinCC accordingly recommends the use of currently
available security mechanisms. To achieve maximum security, configurations with plant-
specific scaling should not contradict the basic principles of this security concept.
The Security Concept PCS 7 & WinCC is designed to support interaction between
administrators of corporate networks (IT administrators) and automation networks
(automation engineers), so that both can benefit from the advantages of the networking of
process technology and data processing at other production levels, without increasing
security risks at either end.

Security Concept PCS 7 & WinCC (Detail); Administration of Virus Scanners

Whitepaper, 08/2009, A5E02657556-01 5
Preface
1.2 Special notes

Knowledge requirements
This documentation is intended for personnel working in the fields of engineering,
commissioning and servicing of SIMATIC automation systems. It is presumed that readers
have appropriate management knowledge of office IT.

Validity
The Security Concept PCS 7 & WinCC incrementally overrides all previous documents and
recommendations "Security concept for PCS 7" and "Security concept for WinCC" and is
valid as of WinCC V6.2 and PCS 7 V7.0.

Security Concept PCS 7 & WinCC (Detail); Administration of Virus Scanners

6 Whitepaper, 08/2009, A5E02657556-01
Managing virus scanners 2
Using virus scanners in a process control system is only effective when they are part of a
comprehensive security concept. A virus scanner alone generally cannot protect a process
control system against security threats.

2.1 Definitions

Virus scanner:
A virus scanner is a software that detects, blocks or eliminates known harmful program
routines (computer viruses, worms and similar malware).

Scan engine (scan module):

The scan engine is a component of the virus scanner software that can scan data for the
presence of malware.

Virus signature file (virus pattern / definition file):

This file provides the virus signatures to the scan engine that helps you to scan data for the
existence of malware.

Virus scan client:

The virus scan client is a computer that is scanned for viruses and managed by the virus
server.

Virus scan server:

The virus scan server is a central station that manages the virus scan clients, loads virus
signature files and distributes them to the virus scan clients.

Security Concept PCS 7 & WinCC (Detail); Administration of Virus Scanners

Whitepaper, 08/2009, A5E02657556-01 7
Managing virus scanners
2.2 Using virus scanners

2.2 Using virus scanners

The use of a virus scanner should never inhibit runtime operation of a plant. The following
two examples show the problems developing in an automation system as a result of the use
of virus scanners:
● A virus scanner may not shut down a computer that is infected with a virus if there is any
risk of loosing control of the production process or if the plant can no longer be brought
into a safe state.
● Likewise, project files such as database archives that are infected with a virus must not
be moved, blocked or deleted automatically if such actions prevent further reproducibility
of important measuring values.
The following requirements are therefore imposed on the use of virus scanners in industrial
environments:
● When operating a Security Suite (virus scanner plus options), users must be able to to
disable all options exceeding the functional scope of a conventional virus scanner, e.g.
firewall, E-mail scan.
● Within a centrally managed virus scanner architecture, options must be available for
organizing and configuring the clients in groups.
● It must be possible to disable automatic distribution of virus signatures.
● It must be possible to distribute virus signatures manually and based on groups.
● An option must be provided to manually initiate a file and system scan within selected
groups.
● When a virus is detected, the scanner must always generate a message, however,
without forcing any file actions (e.g. deleting, blocking or moving).
● All messages must be logged on the virus scanner server.
● The virus scan clients configuration must prevent the display of any messages that could
hide more important process information.
● For reasons of performance, it must be possible to configure the virus scan clients so that
only their local drives are scanned and prevent overlapping scans on network drives.
● Likewise, it must be possible to configure the virus scan clients so that only incoming data
traffic is scanned, provided that all local data has already been scanned at least once.

Security Concept PCS 7 & WinCC (Detail); Administration of Virus Scanners

8 Whitepaper, 08/2009, A5E02657556-01
 Managing virus scanners
2.3 Basic virus scanner architecture

2.3 Basic virus scanner architecture

To conform with requirements specified in the section "Using virus scanners", it is advisable
to implement a basic virus scanner architecture as shown in Fig. 2-1.
The virus scan server manages its virus scan clients and downloads the virus signatures
from the Internet at the update server of the virus scan manufacturer or from a master virus
scan server. A Web console or similar can be used for administrative access to the virus
scan server.

Fig. 2-1

Depending on the manufacturer, you can implement several virus scan servers to operate in
parallel or within a hierarchy structure.

Security Concept PCS 7 & WinCC (Detail); Administration of Virus Scanners

Whitepaper, 08/2009, A5E02657556-01 9
Managing virus scanners
2.4 Strategy for distributing virus signatures

2.4 Strategy for distributing virus signatures

To exclude any risk to plant operation through the use of a virus scanner and to take
precautions against the minor risk of receiving "harmful" virus signatures (which are
incorrectly interpreted as malware by the automation software), it is advisable to perform the
following procedure for virus signature updates:
● The virus scan server downloads the virus signatures from the update server of the virus
scan manufacturer on the Internet or from a master virus scan server on the Internet.
● All process servers and clients must be operated in redundant mode.
● At least two groups must be created on the virus scan server for each system. Each
group contains a server for the redundancy partner, including half the number clients
assigned to the group (see Fig. 2-2).
● Configuration of a small-scale test system that is capable of simulating the vital functions
of the existing plant. Start simulation by loading the new virus signatures for testing in
order to detect any negative impact on plant operation.
● If no fault has occurred on the test system on expiration of a defined period and neither
the virus scanner manufacturer, nor Siemens have reported problems in terms of
compatibility with the virus signatures, the signatures can be loaded to a group in each
plant. This operation only has a minor or no effect on plant operation.
● If no problems were found in the systems in terms of compatibility with the virus
signatures on expiration of a period to be specified, the signatures can also be loaded to
the other groups.

Fig. 2-2

Security Concept PCS 7 & WinCC (Detail); Administration of Virus Scanners

10 Whitepaper, 08/2009, A5E02657556-01
 Managing virus scanners
2.5 Configuration of virus scanners

2.5 Configuration of virus scanners

Recommendations for virus scanner configurations

● Integrated firewall of the virus scanner
The local Windows firewall is used as of PCS 7 V7.0 und WinCC V6.2 and configured
using the SIMATIC Security Control (SSC) component. Therefore, the firewall integrated
in most of the virus scanners must not be installed.
● Manual scan (manual scan, on demand scan)
A manual scan (also known as "On Demand Scan", depending on the product) must not
be performed on virus scan clients while process mode (runtime) is active. The scan
should be initiated at regular intervals, e.g. within a maintenance interval, on all
computers of the plant.
● Automatic scan (auto-protect, on-access scanning)
For the automatic scan, it is sufficient to check incoming data traffic.
● Time-controlled scan (scheduled check, on demand scan)
A time-controlled scan (also known as "On Demand Scan", depending on the product)
must not be performed on virus scan clients while process mode (runtime) is active.
● Displaying messages
To prevent impairment of the process mode, messages must not be displayed on the
virus scan clients.
● Drives
To avoid overlapping scans on network drives, only the local drives are scanned.
● E-mail scan
The e-mail scan should/must be disabled, except on an engineering station actually
receiving e-mails.
● Organization into groups
The virus scan clients must be organized in groups.
● Distribution of the virus signature (pattern update)
The master virus scan server distributes the virus signatures to the virus scan clients. The
non-reactive use of the virus signatures must be verified in a test system before
deploying them in process mode. Distribute the virus signatures manually to the
respective groups.
● Updating the virus scan engine
Do not run any updates of the virus scan engine while process mode is active (runtime),
as such operations could require rebooting the virus scan clients.

Security Concept PCS 7 & WinCC (Detail); Administration of Virus Scanners

Whitepaper, 08/2009, A5E02657556-01 11
Managing virus scanners
2.6 Approved virus scanners for PCS 7 and WinCC

2.6 Approved virus scanners for PCS 7 and WinCC

For information on the compatibility of virus scanners with a specific PCS 7 or WinCC
version, refer to the Internet.
PCS 7:
http://support.automation.siemens.com/WW/view/en/10154608
WinCC:
http://support.automation.siemens.com/WW/view/en/24122009
The virus scanners were rated as follows in accordance with virus scanner requirements

Symantec McAfee
Trend Trend Symantec
AntiVirus VirusScan
Micro Micro Endpoint
Requirement 10.0 V8.0i
Office Office Protection
AntiVirus VirusScan
Scan 7.3 Scan 8.0 11.0
10.2 V8.5i
The virus scanner can be installed
Yes Yes Yes Yes Yes
without firewall.
The virus scan clients can be
Yes Yes Yes Yes Yes
organized and configured in groups.
Automatic distribution of virus
Yes Yes Yes Yes Yes
signatures can be disabled.
The virus signatures can be
distributed manually and to selected Yes Yes Conditional1 Yes Yes
groups.
Manual and group-by-group file scans
Yes Yes Yes Yes Yes
are supported.
Detection of a virus triggers a
Yes No 2 Yes Yes No 2
message output but no file action.
The virus scan clients can be
configured so that they do not display Yes Yes Yes Yes Yes
any messages.
1
) Manual distribution of virus definition files is only possible if automatic distribution is
enabled as well.
2
) The guidelines do not contain an option for setting the action so that logging is enabled
although no action occurs.

Security Concept PCS 7 & WinCC (Detail); Administration of Virus Scanners

12 Whitepaper, 08/2009, A5E02657556-01
Practical information 3
General Information
For information on Trend Micro Office Scan 7.3, refer to:
http://de.trendmicro-europe.com/enterprise/products/product_overview.php
For information on Symantec AntiVirusTM Corporate Edition, refer to:
http://www.symantec.com/enterprise/products/overview.jsp?pcid=1322&pvid=805_1
For information on McAfee® VirusScan® Enterprise, refer to:
http://www.mcafee.com/de/enterprise/products/anti_virus/file_servers_desktops/virusscan_en
terprise_80i.html

Additional information
Software setup routines usually represent a serious modification of the local system and
should always be run from a virus-free storage location on a file server with integrated virus
scanner or from a DVD; a virus scanner should neither obstruct, nor corrupt such
installations. To achieve this goal, you should select so-called file transfer / installation
servers or virus scan configuration settings that do not interfere with setup procedures,
without having to disable the virus scanner.

Test option of virus scanners

To run a simple test of the detection and reporting of virus infection and of the corresponding
reaction of the virus scanners, you can deploy the test files available at
http://www.eicar.org/anti_virus_test_file.htm.
.

Security Concept PCS 7 & WinCC (Detail); Administration of Virus Scanners

13 Whitepaper, 08/2009, A5E02657556-01