Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Generic Trojan - DWH*.tmp in Temp folder

Created: 19 Aug 2012 | 14 comments

HI there,

It seems that after all, this problem with Generic Trojan - DWH*.tmp in Temp folder has not been fixed. Today It's 20.08.2012 and this problem hasn't been fixed. I have a lot of temp files prompted as being infected with Trojan.Gen.2., see this print screen: http://screencast.com/t/PshRysnqh

I'm using Symantec Endpoint Protection ver. 11.0.6005.562

I'm addressing this post to Symantec Officials to offer me a solution to fix this as I'm tired of dealing with this. I have read the previous post about this and seems that this issue still persist.

Looking forward for a fast answer,

ChiefRA

Comments 14 CommentsJump to latest comment

pete_4u2002's picture

The issue of multiple DWH files being created and retained has been improved in SEP 11 Release Update 7 Maintenance Patch 2 (RU7 MP2) and SEP 12.1 RU1 MP1.

if you do not want to upgrade, use the workaround as mentioned in this URL

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/business/support/index?page=content&id=TECH102953

Mithun Sanghavi's picture

Hello,

This is a known issue with the older versions of Symantec Endpoint Protection version 11.x

Incase, if you are carrying an older version of SEP, it would be adviced to install the Latest version of SEP 11.0.7200 OR Migrate to the SEP 12.1.1000

Check this:

DWH***.tmp files are detected in the user profile temp directory

http://www.symantec.com/docs/TECH92399

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

Check these Threads: 

https://www-secure.symantec.com/connect/forums/unable-fully-remove-trojangen2-sep

https://www-secure.symantec.com/connect/forums/trojangen2

https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

Secondly, The issue is fixed in the RU6 MP1, upgrade the client to RU6 MP1 and let know if it solves your problem

DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan

Fix ID: 1925607

Symptom: DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan.

Solution: After extracting a quarantined item to a temp file, the file is deleted immediately after it is processed.

http://www.symantec.com/business/support/index?page=content&id=TECH103087&locale=en_US

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Fabiano.Pessoa's picture

Hi, good morning.

Turn cleaner temporary files on your desktop. Then, make a scanneamento in his compuatdor in safe mode, or turn your security solution, but when windows is in safe mode.
To do this, restart your PC and press the F8 key until the screen with the options appear. Choose Safe Mode, but no network. and perform a scan.

Esteri willingness to quaisuqre doubts.

hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

Chetan Savade's picture

Hi,

Please check this article

DWH***.tmp files are detected in the user profile temp directory

http://www.symantec.com/docs/TECH92399

These detections do not indicate a new outbreak of a threat.  The .tmp files are created by the Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV) Quarantine scan. The scan is normally initiated by a virus definition update.

There are also several known methods to work around the issue:

  • The quarantine scan on virus definition update can be disabled in the  Symantec Endpoint Protection Manager (SEPM): edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
  • Items in quarantine can be deleted.
  • If the indexing service is enabled it could be triggering the issue when the dwh***.tmp files are indexed.
  • Investigate other applications that are scanning the temp file for changes.

This issue is seen with few latest version of SEP i.e RU7 MP2

Check following article for more details.

https://www-secure.symantec.com/connect/forums/dwh...

I hope it helps.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Ashish-Sharma's picture

This is a known issue which is going to be fixed probably in SEP 11 RU6 MP1.

Meanwhile, please follow the KB below to resolve this issue:

http://service1.symantec.com/SUPPORT/ent-security....

Reason behind it:
- By default, when there is anything in quarantine folder and there is new definitions downloaded in SEP client, then a scan is initiated after download to check if any definitions are available which can resolve the quarantined files.

- Unfortunately, in some cases, during this process, scan detects the tmp files which are created in Xfer or Xfer_tmp folder during above process.

This issue was initially fixed in MR4 MP2, however, I have seen this issue in some cases of RU5 and RU6 as well.

As mentioned above, hopefully, it will resolve in RU6 MP1.

Check the Knowledgebase.

DWH***.tmp files are detected in the user profile temp directory.

http://www.symantec.com/business/support/index?page=content&id=TECH92399&locale=en_US
 
Release Notes for Symantec Endpoint Protection 11.0.x and Symantec Network Access Control 11.0.x
 
http://www.symantec.com/business/support/index?page=content&id=TECH103087&locale=en_US
 

Thanks In Advance

Ashish Sharma

andre jean's picture

Hi,

So SEP11 Ru6 Mp1 did'nt work

V11 7000.975 doesn't work either

I'm not sur to understadn what RU7 MP2 means

anyone at Symantec has an idea about the importance of statistic reliability?

i know this doesn't help anybody, it just make me feel a little better!

pete_4u2002's picture

The issue of multiple DWH files being created and retained has been improved in SEP 11 Release Update 7 Maintenance Patch 2 (RU7 MP2) and SEP 12.1 RU1 MP1.

can you try on one such client?

Bradrum's picture

The issue remains with:

12.1.1101.401 RU1 MP1

I had the issue today, 2012.09.17  on a client running

12.1.1101.401 RU1 MP1

Chetan Savade's picture

Hi,

I would also like to suggest to open a case with support.

How to create a new case in MySupport

http://www.symantec.com/docs/TECH58873

How to Create and Validate a SymAccount for using Symantec's MySupport

http://www.symantec.com/docs/HOWTO31127

OR

Contact Symantec Technical Support via the support phone numbers listed below

Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp   India: Toll-Free 000 800 4401 456 directly                                                                                                       

Contact Symantec Customer Care on 

http://www.symantec.com/support/assistance_care.jsp

OR 

Technical Support

http://www.symantec.com/business/support/contact_techsupp_static.jsp

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Bradrum's picture

I appreciate the suggestion but I've been able to curb the issues using the indexing/quarantine/temp clearing methods found in various threads.  I just wanted to put it out there that upgrading is not the answer.  Maybe next time?

Gracias

Chetan Savade's picture

Hi Gracias,

Please monitor for a few days.

If the issue reoccurred then upgrade to the latest version of 12.1 can be the best option.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Chetan Savade's picture

Hello Everyone,

According to the fix notes of latest SEP version i.e. SEP 12.1 RU2, issue is resolved with this release.

Repeated detection of DWHxxxx.tmp as a threat
Fix ID: 2718341
Symptom: Repeated detection of DWHxxxx.tmp as a threat when a Defwatch scan runs on Quarantined items.
Solution: Increased Defwatch scan performance and moved the temporary extraction folder from %TEMP% to Application Data to avoid conflicts with Windows Search Indexer.
 
Reference: New fixes and enhancements in Symantec Endpoint Protection 12.1 Release Update 2

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<