Video Screencast Help

DWH Files in Quantine

Created: 04 Jan 2013 | 15 comments

I was running into these issues with SEP 11, so I upgraded to SEP 12.1.2015.2015 and they are reappearing again. When I delete them they keep reappearing. I have looked through the various discussions started on this issue, and it always seemed as though it was fixed in previous versions with a new patch. Does anyone have a solution for 12?

Comments 15 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

According to the fix notes of latest SEP version i.e. SEP 12.1 RU2, issue is resolved with this release.

Reference: New fixes and enhancements in Symantec Endpoint Protection 12.1 Release Update 2

 
If again reapper you can check this thread and Check Jim Shock Comments may be help
 
https://www-secure.symantec.com/connect/forums/sep-121-and-dwhtmp-files-0

Thanks In Advance

Ashish Sharma

 

 

Mithun Sanghavi's picture

Hello,

This issue seems to be resolved as I haven't come across any of such cases with Symantec Endpoint Protection 12.1 detecting DWH###.TMP files

Was this SEP 12.1 clients upgraded from SEP 11??

http://www.symantec.com/docs/HOWTO55365

The Above Article, speaks on how to clear disk space before upgrading the SEP 11 to SEP 12.1.

The Actual cause was with SEP 11 where the files were created by the Symantec Endpoint Protection or Symantec AntiVirus Quarantine scan. This scan is normally initiated by a virus definition update.

The quarantine scan on virus definition update can be disabled: edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".

There are also several known methods to work around the issue:

  • The quarantine scan on virus definition update can be disabled in the  Symantec Endpoint Protection Manager (SEPM): edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
  • Items in quarantine can be deleted.
  • If the indexing service is enabled it could be triggering the issue when the dwh***.tmp files are indexed.
  • Investigate other applications that are scanning the temp file for changes.

Check this Thread:

http://www.symantec.com/connect/forums/sep-121-and-dwhtmp-files

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

Please perform a full scan on all the system & verify it again.

If didn't help then perform full scan in safe mode on 2-3 machines and let us know the result.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

.Brian's picture

The issue seems to re-appear in 12.1 RU2 as I have seen this as well.

In SEPM, under "When new definitions arrive" set it to "Do Nothing" this should stop it from happening.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Amato's picture

So back story: I had this issue with 11, so I uninstalled, deleted the quarantine, deleted everything about it, even cleared out the registry. I reinstalled 11, and the issues stopped, but promptly uninstalled it again about an hour later and installed 12.

 

Chetan, the DWH files were found during a full scan.

Brian, where is that located?

.Brian's picture

Edit your AV policy

Select the Quarantine tab

On the General tab under "When New Virus Definitions Arrive" set it to "Do Nothing"

Click OK to save it

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Amato's picture

So I go to "Change Settings" tab and select "Virus and Spyware Protection", all that appears for tabs are:

Global settings

Auto-Protect

Download Insight

Internet email auto-protect

outlook auto-protect

notes auto-protect

Early launch Mal Ware

 

Unfortunately, I do not see anything that allows me to define anything about the quarantine.

 

 

 

.Brian's picture

Not sure what you mean by Change Settings tab but it should be right in your AV policy like below:

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Amato's picture

Ok as I was browsing through other topics while waiting for a response, I noticed a post by you that made it clearer. I am looking in SEP, but I need to be in SEPM, which is my new question, how do I access SEPM?

Amato's picture

Also would like to point out that SEP was installed as unmanaged.

 

.Brian's picture

Check this thread:

https://www-secure.symantec.com/connect/forums/gen...

On the second page is a post by Mithun Sanghavi on how to clear out

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish-Sharma's picture

HI AMato

Check this comments

 

jim shockSYMANTEC EMPLOYEEACCREDITED

Is your SEP managed by Symantec? If so, you may not be able to add Exceptions.

These instructions apply to Vista and above - for older operating systems, the folder is under Documents and Settings\<username>\local settings\application data\Symantec.

One problem is that the folder used to rescan Quarantine files is created and deleted each time - so it does not exist normally - and the Exceptions UI only alllows existing folders to be added. You can add an exception for ProgramData\Symantec\* - but this may be too broad.

1. Navigate into ProgramData\Symantec

2. Create a new folder - DefWatch.DWH

3. Open the SEP main UI -> Change Settings -> Exceptions -> Configure Settings

4. Add -> Security Risk Exception -> Folder

5. Navigate and select the ProgrramData\Symantec\DefWatch.DWH folder, click OK

6. Click Close

7. You can now delete the DefWatch.DWH folder - or it will be automatically deleted after the next Quarantine rescan,

 

Thanks In Advance

Ashish Sharma

 

 

Amato's picture

Neither of those steps seem to work.

 

Brian the one you recommended didn't as some of the folders it wanted me to delete could not be due to other programs using it(which ones, I do not know). I am thinking about uninstalling, and reinstalling. Would it be recommended to install the managed version?

.Brian's picture

The managed version may help so that you can make the setting change to do nothing when new defs arrive.

You cannot do this with the unmanaged version.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Since it's an Unmanaged Client, I would recommend you 2 things - 

1) Uninstall SEP 12.1 from the client machine and then make sure you have deleted all directories and files of symantec from the machine. Once done, reinstall the SEP 12.1 as a fresh new client.

OR

2) Install the client as Managed SEP client and perform the above given steps.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.