Endpoint Protection

 View Only

  • 1.  Defwatch.DWH SEP 12.1 RU5

    Trusted Advisor
    Posted Apr 14, 2015 03:13 AM

    I thought this false posative issue detecting defwatch,dwh was fixed in 12.1 RU2? 

    We are seeing this on 12.1 RU5 machine detecting these defwatch false posative in the symantec location 

    C:\ProgramData\Symantec\DefWatch.DWH\dwh****.doc

    These are still appearing in the still infected machines

    180px_defwatch.dwh_.jpg



  • 2.  RE: Defwatch.DWH SEP 12.1 RU5

    Trusted Advisor
    Posted Apr 14, 2015 03:43 AM

    Hello,

    Request you to create a case with Symantec.

    Don't worry- that is not a new infection, but an alert that is triggered in certian circumstances upon files already quarantined.  Please upgrade to the latest available release of SEP, where improvements in the code minimize the occurance of those alerts. 

    tmp file (DWH*****.tmp) detected as Trojan.Gen or Trojan.Gen.2 by Corp products

    http://www.symantec.com/business/support/index?page=content&id=TECH102953

    The Actual cause was with SEP 11 where the files were created by the Symantec Endpoint Protection or Symantec AntiVirus Quarantine scan. This scan is normally initiated by a virus definition update.

    The quarantine scan on virus definition update can be disabled: edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".

    There are also several known methods to work around the issue:

    • The quarantine scan on virus definition update can be disabled in the  Symantec Endpoint Protection Manager (SEPM): edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
    • Items in quarantine can be deleted.
    • If the indexing service is enabled it could be triggering the issue when the dwh***.tmp files are indexed.
    • Investigate other applications that are scanning the temp file for changes.

    Regards,



  • 3.  RE: Defwatch.DWH SEP 12.1 RU5

    Posted Apr 14, 2015 08:20 AM

    This issue has persisted in every version of SEP since the early 11.x days. There are "fixes" made in some releases but there has not been a true fix to close this issue out. Workarounds exist but no fix:

    When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

    http://www.symantec.com/docs/TECH102953