Compatibility of anti-virus programs (with the real-time execution of TwinCAT)

Beckhoff recommends that you give careful consideration to the use of anti-virus programs.

Anti-virus programs can be useful in helping the user to discover and remove malware that has infected the computer through the careless opening of mail attachments or via compromised downloads from the internet and is being run. However, such threat scenarios are unlikely with many purposes of use of controllers. If malware does infect a controller via a security hole, e.g. in the operating system, an anti-virus program no longer offers reliable protection. The malware can recognize the popular anti-virus programs and it potentially runs with the same rights as the anti-virus program, which it can then simply deactivate.

Anti-virus programs and operating systems must be updated regularly in order to be effective. These updates may be subject to validations for the release of the controller and the software components installed in it for productive use, making it impossible for Beckhoff to make a reliable statement about the compatibility with the TwinCAT automation software.


Incompatibility with Kaspersky Anti-Virus SDK

The anti-virus software Kaspersky Anti-Virus is incompatible with the TwinCAT Runtime XAR. Products developed on the basis of the Kaspersky Anti-Virus SDK are also incompatible with the TwinCAT Runtime XAR.

If you use Kaspersky Anti-Virus or products based on the Kaspersky Anti-Virus SDK, you can continue to use the TwinCAT Engineering XAE as normal, but the local RUN mode may react by crashing or freezing.

Windows Defender and other anti-virus programs

Windows Defender is an anti-virus component that comes with Windows 10 and is regarded as being as good as third-party products.

During regular tests of Windows Security Updates and Windows Defender within the scope of system and real-time examinations of TwinCAT and Beckhoff IPCs, Beckhoff has so far found no real-time violations of TwinCAT over a long period of time. This empirical value is taken as an indication of a compatible coexistence of Windows Defender and TwinCAT; however, no assurance for future updates can be derived from this. This experience has been gained in tests with active Windows Defender with the function extension "Real-time Protection" disabled at the same time. Due to its mode of operation, this function extension is a probable source of real-time violations of TwinCAT, because it monitors and examines process sequences and their data by accessing the Windows system.

Third-party anti-virus programs interact in different ways with the Windows system following installation and activation. Due to the complexity and the expenditure involved in examining this third-party software, Beckhoff does not regard itself as being able to make qualified statements about the influence of such software on the real-time execution of TwinCAT.

Beckhoff recommendation on the use of Windows Defender and other anti-virus programs

Beckhoff recommends preventing the exposure of controllers to direct points of entry of malware into the system as far as possible by selecting a holistic approach and not relying on the use of anti-virus software alone.

For use in Beckhoff products, Beckhoff offers its customers regular image updates for Beckhoff Industrial PCs containing validated security updates for use with TwinCAT.


Beckhoff makes no warranties, expressed or implied, for real-time performance of it’s automation software TwinCAT for execution and real-time condition compliance in all cycles after installation or update of other software, including but not limited to anti-virus software, OS kernel mode drivers, security patches, and other software.

TwinCAT offers tools to validate real-time execution, and generally, the use of any software after installation on a control computer requires thorough review of system integrity as customary and state of the art in automation technology use cases.