DWH*.tmp files are created and detected when quarantine is scanned with new virus definitions

Article:TECH102953  |  Created: 2007-01-19  |  Updated: 2014-11-24  |  Article URL http://www.symantec.com/docs/TECH102953
Article Type
Technical Solution

Product(s)

Issue



You notice that DWH*.tmp files are created and flagged as malicious by Auto-Protect in Symantec Endpoint Protection (SEP). You also notice that items in quarantine double every time new virus definitions arrive.


Cause



When the virus definitions are updated in the Symantec Endpoint Protection client, there is an option to Rescan the Quarantine. This enables the Symantec Endpoint Protection client to inspect the files stored in the local quarantine and verify if any of them can be repaired with the updated antivirus signatures.

When the files were originally quarantined, they were compressed and encrypted to ensure that the stored version cannot continue to infect the local machine. Consequently, the Symantec Endpoint Protection client must extract the original file(s) from this quarantine packaging before it can be re-scanned.

During this file extraction process, a temporary file named DWHxxxx.tmp is created in the working directory of the Symantec Endpoint Protection client. This is typically within the %App Data%\Symantec\ folder, but in certain older builds of Symantec Endpoint Protection, it may also use the Windows %TEMP% folder.

Normally, this temporary file will not be scanned by the Symantec Endpoint Protection Auto-Protect function because Symantec Endpoint Protection is already handling the file, i.e. Symantec Endpoint Protection knows that it owns the file. However, if a third-party process accesses that file while it is being created, the Symantec Endpoint Protection Auto-Protect function will intercept this file access and will declare the file as untrusted because another process, possibly malicious, had accessed the file.

This will cause the file to be seen as a new file and untrusted. Accordingly, the file will be scanned. This results in an already quarantined and infected file getting rescanned.  Additionally, it will be treated as a suspect file and quarantined, resulting in a duplicate file being added to the local quarantine.

Finally, as each definition set is received by the Symantec Endpoint Protection client and the local quarantine is rescanned, the above process repeats, and the contents of the local quarantine are doubled.

Note: A similar quarantine rescan process applied to Symantec AntiVirus (SAV).

  


Solution



The issue of multiple DWH files being created and retained has been improved in the latest versions of Symantec Endpoint Protection. Please see Related Articles for more information on obtaining an upgrade to the newest build, and for release notes for previous releases.

Based on the severity of the detections, there are some known workarounds that should resolve the issue. These are listed in order of preference:

  1. Disable rescanning of the local quarantine upon receipt of new virus definitions. 
    1. Open the Virus and Spyware policy > Windows Settings > Quarantine > Advanced Options
    2. Under "When New Virus Definitions Arrive" select Do nothing.
      In Symantec Endpoint Protection 11.0 versions, this policy is called Antivirus and Antispyware Protection and Quarantine will be under General.
    3. Click OK and, if needed, assign the policy.
       
  2. Limit the size of the Quarantine folder.
    1. In the right-hand panel of the Virus and Spyware policy, click the Cleanup tab.
    2. Under Quarantined Files, check Enable automatic deleting of quarantined files that could not be repaired (default: Delete after 30 days) and Delete oldest files to limit folder size at: (default 50 MB).
    3. Click OK and, if needed, assign the policy.
       
  3. Ensure that no processes or services (such as Windows Indexing Service for example) can access or monitor Symantec Endpoint Protection files.
     
  4. Ensure that the %TEMP% folder is not open when virus definitions are updated.
     
  5. Restart in safe mode, delete *.DWH files in the temporary folder, and empty the quarantine folder. 

 
If the quarantine, temporary directories, or xfer_temp folders have gotten too big for Windows to open or clear the contents, it may be necessary to do this from a command prompt. Symantec also has a tool called SymDelTmps which can help delete the temporary files on a machine that is difficult to work with.  Please contact Technical Support and ask for this utility if you would like to use it.  

The instructions below are for a standard installation. If the client is installed somewhere other than the default location, please be sure to change the path for the files and folders in the commands below.  The commands will vary based on operating system, so choose the command that is appropriate for your computer.
 

Deleting .DWH files

Stop the Symantec service

To stop the Symantec Endpoint Protection service:

  1. Click Start, then Run
  2. Type: smc -stop
  3. Click OK

Deleting files from User Temp folder
Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace NAMEOFUSER with the username of the desired Windows user for whom you wish to empty the temp folder:

Windows 2000/XP/2003:
DEL /F /Q "C:\Documents and Settings\NAMEOFUSER\Local Settings\Temp"

Windows Vista/7/2008:
DEL /F /Q "C:\Users\NAMEOFUSER\AppData\Local\Temp"


Deleting the contents of the temp folder at the root of C:\
Type the following command in Command Prompt:

DEL /F /Q C:\temp 


Deleting the contents of the Windows Temp folder
Type the following command in Command Prompt:

DEL /F /Q C:\WINDOWS\Temp 


Deleting the contents of the xfer and/or xfer_temp directories
Type the following command in Command Prompt. Replace silo with the appropriate build number:

Windows 2000/XP/2003:

Symantec Endpoint Protection 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\silo\Data\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\silo\Data\xfer\"

Symantec Endpoint Protection 11.x
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

Windows Vista/7/2008:

Symantec Endpoint Protection 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\xfer\"

Symantec Endpoint Protection 11.x
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

The Quarantine Folder

Note: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer applications to hang due to the large amount of files that can reside there.
 

Delete the Quarantine Folder
Type the following commands in the Command Prompt. Replace silo with the appropriate build number:

Windows 2000/XP/2003:

Symantec Endpoint Protection 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"

Symantec Endpoint Protection 11.x
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"

Windows Vista/7/2008:

Symantec Endpoint Protection 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"

Symantec Endpoint Protection 11.x
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"

 

Recreate the Quarantine Folder
Type the following commands in the Command Prompt. Replace silo with the appropriate build number:

Windows 2000/XP/2003:

Symantec Endpoint Protection 12.1
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"

Symantec Endpoint Protection 11.x
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
 

Windows Vista/7/2008:

Symantec Endpoint Protection 12.1
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"

Symantec Endpoint Protection 11.x
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"

 

To start the Symantec Endpoint Protection service:

  1. Click Start, then Run.
  2. Enter the following: smc -start
  3. Click OK.

 

NOTE: It is important to recognize that there are applications, such as Windows Indexing Service, that routinely attempt to touch each file. Other applications known to touch these files are backup applications. In these cases, you should make an exclusion for *.DWH in that application, if possible.




Legacy ID



2007111911135548


Article URL http://www.symantec.com/docs/TECH102953


Terms of use for this information are found in Legal Notices