Video Screencast Help

Generic Trojan - DWH*.tmp in Temp folder - Still unsolved years later...

Created: 05 Jul 2012 | 4 comments

Well, big surprise! After countless revisions/patches/etc we're now on clean build of 12.1.1101.401 RU1 MP1 and it's still happening. Our company is nearly ready to drop Symantec entirely. Too many repeat issues with empty promises of "but wait, we're working on a patch!" or "ok it's fixed now! honest!". If we can get a fix (a real one this time, seriously) I might be able to change some minds.

If there's a real fix, please post it here. If you need more info just search the forums or google it, not a unique nor hard to find issue by any means and I'm done running in circles.

Comments 4 CommentsJump to latest comment

Ian_C.'s picture

With an account that is barely older than this post, one does have to wonder if you are trolling.

You are correct, this still seems to be a problem. Shulk posted a workaround here: https://www-secure.symantec.com/connect/forums/sep-121-and-dwhtmp-files-0#comment-7364561

To save you some more running around, here is his reply:

Unfortunately...
This is an issue that should have been solved long ago, unfortunately it hasn't.
The two below KBs are in my opinion the best workaround to apply until a next release erase for good this bug.
Btw, upgrade from 11.0 or fresh install of 12.1, the issue might occur in both cases anyway.
http://www.symantec.com/docs/TECH102953
http://www.symantec.com/docs/TECH138856
Hope it helps.
Shulk.
 

For us, TECH102953 got rid of the invalid notifications. I do like the idea of rescanning the quarantine and restoring repaired legitimate files. My reasoning for disabling the rescanning of the quarantine was two fold

  • How often are infected EXEs actually legitimate? In my experience, more often than not, the malware has it's own EXE with a semi legit sounding name. No point in restoring that.
  • If a document was infected, why does the user not notice immediately that it is gone? If it's gone for 60 days before being deleted from the quarantine, most users won't ever use that file again anyway or re-create it. Admittedly, this option is less than ideal. Dealing with this problem 2 - 10 times a year is still preferable to getting false positive 365 days of the year.

 

Please mark the post that best solves your problem as the answer to this thread.
cus000's picture

...nice nick there

i saw that thread yesterday... so apparently the issue still haunting in 12.1?

 

the best bet is to disable rescanning quarantined as pointed in the KB, from my own experience older version of SEP 11 suffers more... had to upgrade the client to at least RU6 MP2

Ian_C.'s picture

... is available in the other thread. Problem seems to stil not be resolved.

Please mark the post that best solves your problem as the answer to this thread.
Chetan Savade's picture

Hello Everyone,

According to the fix notes of latest SEP version i.e. SEP 12.1 RU2, issue is resolved with this release.

Repeated detection of DWHxxxx.tmp as a threat
Fix ID: 2718341
Symptom: Repeated detection of DWHxxxx.tmp as a threat when a Defwatch scan runs on Quarantined items.
Solution: Increased Defwatch scan performance and moved the temporary extraction folder from %TEMP% to Application Data to avoid conflicts with Windows Search Indexer.
 
Reference: New fixes and enhancements in Symantec Endpoint Protection 12.1 Release Update 2

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<