Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

DWH file issue in SEP v11.0.7

Created: 11 Jul 2012 • Updated: 16 Aug 2012 | 6 comments
This issue has been solved. See solution.

Hi,

I'm having issue with my new installation of SEP v 11.0.7 MP2, it gives me this error every morning:

 

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Gen
File: C:\ProgramData\Symantec\DefWatch.DWH\dwhbb53.exe
Location: C:\ProgramData\Symantec\DefWatch.DWH
Computer: AdminLaptop01
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Thursday, July 12, 2012  10:18:00 AM
 
Can anyone please advise what to do ?

Comments 6 CommentsJump to latest comment

P_K_'s picture

Stop the SEP service and delete the files

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

Dushan Gomez's picture

which file to delete ?

do I just

smc - stop then

delete then

smc - start ?

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

_Brian's picture

 

https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

Note the explanation by Ryan_Dasso

You can also find a workaround by Mithun Sanghavi posted on the last page of this thread.

Doing a search of the forum, you will also find other posts on it.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi Dushan Gomez,

Please check this article

DWH***.tmp files are detected in the user profile temp directory

http://www.symantec.com/docs/TECH92399

These detections do not indicate a new outbreak of a threat.  The .tmp files are created by the Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV) Quarantine scan. The scan is normally initiated by a virus definition update.

There are also several known methods to work around the issue:

  • The quarantine scan on virus definition update can be disabled in the  Symantec Endpoint Protection Manager (SEPM): edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
  • Items in quarantine can be deleted.
  • If the indexing service is enabled it could be triggering the issue when the dwh***.tmp files are indexed.
  • Investigate other applications that are scanning the temp file for changes.

  I hope it helps.

 

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Chetan Savade's picture

Hi,

Also you can refer this article

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SOLUTION
Dushan Gomez's picture

Thanks for all of your responses guys.

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP