Video Screencast Help

Defwatch.dwh has 293kb files that are detected (externally) as a suspicious.B.UMH

Created: 02 Aug 2014 | 5 comments

I'm finding these files in the c:\programdata\Symantec\defwatch.dwh\ folder, and these are DWH####.exe files (not .tmp like a definition update).  The client is running 12.1..4013.4013, and I'm not seeing these files on other similar versioned systems.  In fact, when I run a scan on the files on the machine itself (with current defintions) it finds nothing, but when I scan the files externally from another system it detects them as the suspicious.B.UMH files.  So what is this?  A virus that is hiding detection from the client?  Or a bogus update of somekine from Symantec that doesn't act like the other systems?  Please advise how to track root cause on this and fix.  Thanks.

Operating Systems:

Comments 5 CommentsJump to latest comment

ᗺrian's picture

This was a known issue in previous versions and still seems to be prevelant today.

Check the removal steps in this link. Or at least verify these files exist in the given location(s).

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Baffoni's picture

For what it is worth, uploading to virus total, they get the following results:

Antivirus Result Update
AVware Installerex/WebPick (fs) 20140801
Ad-Aware Adware.Generic.570790 20140731
AhnLab-V3 PUP/Win32.TSULoader 20140731
AntiVir ADWARE/InstallRex.Gen 20140731
Antiy-AVL Spyware[AdWare:not-a-virus]/Win32.Agent 20140731
Avast Win32:InstalleRex-X [PUP] 20140801
BitDefender Adware.Generic.570790 20140801
Bkav W32.FamVT.AntiFWK.Trojan 20140731
CAT-QuickHeal Trojan.AntiFW.B5 20140731
Comodo Application.Win32.InstalleRex.KG 20140731
ESET-NOD32 Win32/InstalleRex.J 20140801
Emsisoft Adware.Generic.570790 (B) 20140801
F-Secure Adware.Generic.570790 20140801
Fortinet Riskware/InstalleRex 20140801
GData Adware.Generic.570790 20140801
Ikarus PUA.InstallRex 20140801
K7AntiVirus Unwanted-Program ( 00491c4c1 ) 20140731
K7GW Unwanted-Program ( 00491c4c1 ) 20140731
Kaspersky not-a-virus:AdWare.Win32.Agent.aeph 20140801
Kingsoft Win32.Troj.Generic.a.(kcloud) 20140801
Malwarebytes PUP.Optional.Installex 20140801
McAfee PUP-FHQ 20140801
McAfee-GW-Edition PUP-FHQ 20140801
MicroWorld-eScan Adware.Generic.570790 20140801
NANO-Antivirus Riskware.Win32.Agent.crfila 20140801
Panda PUP/TSUploader 20140731
Qihoo-360 Malware.QVM20.Gen 20140801
Rising PE:Malware.Agent!6.5A 20140731
SUPERAntiSpyware Adware.InstalleRex/Variant 20140801
Sophos InstallRex 20140801
Symantec Suspicious.B.UMH 20140731
VBA32 Downware.TSU 20140731
VIPRE Installerex/WebPick (fs) 20140801

On the surface, this looks anywhere from annoying adware to nasty.  I've submitted to Symantec detections but all it says is that it is already detected - and it does, but not on the "infected" machine even with updated defs.

Baffoni's picture

If that is the cause, why does the article mention .tmp files in a completely different path?  Is this the new area for unpacking in 12.1.x and it retains a .exe?

ᗺrian's picture

I've seen this before as well, it all ties back to the dwh false positive issue. Been around since SEP 11.x days and still here in 12.1.

You can read the explanation as to why it happens here:

The entire thread is a good read if you have the time.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Manipillai's picture

Yes.Brian is right as I have seen same problem after I have upgrade from ru2 to ru4 I had the same problem follow the article will not happen again.


Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<