Ayuda de vídeo de Screencast

Still Infected Machines not clearing after a full system scan

Created: 11 Febrero 2013 • Updated: 17 Febrero 2013 | 6 comments
Se ha solucionado este problema. Vea la solución.

Hi All,

I have an issue with 3 machines on my network. They are constantly re-appearing as Still Infected Machines for the past three 3 weeks even after a full system scan in safe mode. 

Symptom: Repeated detection of DWHxxxx.tmp as a threat when a Defwatch scan runs on Quarantined items.

Infected DWH***.tmp files are detected in the user profile temp directory by AutoProtect.

I understand that SEP 12 RU 2 will fix this issue but Im still on SEP 12 RU 1. In the meantime how do I get rid of this issue?

I am not comfortable with disabling the quarantine scan on virus definition update.

  • I was thinking of manually deleting the contents of the Quarantine folder on the infected machine(Locate the Quarantine folder ,open it and delete everything inside that folder), but I am not sure if that will solve the issue.
  • Delete everything in temp folders.

Any suggestions on how to resolve these Still infected machines/Newly infected machines.

Thank you

Comentarios ComentariosIr al último comentario

el cuadro de los Ashish-Sharma


Check jim shock Comments

Is your SEP managed by Symantec? If so, you may not be able to add Exceptions.

These instructions apply to Vista and above - for older operating systems, the folder is under Documents and Settings\<username>\local settings\application data\Symantec.

One problem is that the folder used to rescan Quarantine files is created and deleted each time - so it does not exist normally - and the Exceptions UI only alllows existing folders to be added. You can add an exception for ProgramData\Symantec\* - but this may be too broad.

1. Navigate into ProgramData\Symantec

2. Create a new folder - DefWatch.DWH

3. Open the SEP main UI -> Change Settings -> Exceptions -> Configure Settings

4. Add -> Security Risk Exception -> Folder

5. Navigate and select the ProgrramData\Symantec\DefWatch.DWH folder, click OK

6. Click Close

7. You can now delete the DefWatch.DWH folder - or it will be automatically deleted after the next Quarantine rescan,

Check this thread


Thanks In Advance

Ashish Sharma

el cuadro de los SebastianZ

How a look at the following KB:

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect


...it provides workarounds for cleaning the files from the temp folders and cleanup of the quarantine. One othere possibility is to set the exlusions for .dwh files.

el cuadro de los Eyal


Yes SEP is managed by SEPM and I have just configured the scan to do nothing when new Virus Definitions arrives and I will see how that go.

Now will the Still Infected and Newly Infected machines dissapear as it is the same 3 machines or I have to create exclusions for the  DWH file?

Thank you

el cuadro de los SebastianZ

Normally the management server should reset the Still Infected Status for the SEP client once the computer is no longer infected. Let's see if you see any new infections reported after the setting change.

el cuadro de los Mithun Sanghavi


Follow the Steps provided in the Article below:

tmp file (DWH*****.tmp) detected as  Trojan.Gen or Trojan.Gen.2 by Corp products 


Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

el cuadro de los Chetan Savade


Based on the severity of the detections, there are some known workarounds that should resolve the issue. These are listed in order of preference:

  1. Disable rescanning of the local quarantine upon receipt of new virus definitions.
    1. Open the Antivirus and Antispyware policy > Windows Settings > Quarantine > General

    2. Under "When New Virus Definitions Arrive" choose Do nothing".
      In SEP 12.1 versions, this policy will be called Virus and Spyware Protection and Quarantine will be under Advanced Options.

2. Limit the size of the Quarantine folder.

  1. In the right-hand panel, on the Cleanup tab, under Quarantined Files, check Enable automatic deleting of quarantined files that could not be repaired (default: Delete after 30 days) and Delete oldest files to limit folder size at: (default 50 MB).

3. Click Ok and, if needed, assign the policy.

4. Ensure that no processes or services (such as Windows Indexing Service for example) can access or monitor SAVCE or SEP files.

5. Ensure that the "%TEMP%" folder is not open when virus definitions are updated.

6. Restart in safe mode, delete *.DWH files in the temporary folder, and empty the quarantine folder

Refernce: When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect


To clear the SEPM status try to truncate the database transactions logs and rebuild indexes.

If possible repair the SEPM .


Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<