W32.Toal.A@mm
http://www.symantec.com/security_response/writeup.jsp?docid=2001-102316-5116-99&tabid=2
When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect
http://www.symantec.com/business/support/index?page=content&id=TECH102953&locale=en_US
Deleting files from User Temp folder
Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:
Windows 2000/XP/2003:
DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"
Windows Vista/7/2008:
DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"
Deleting the contents of the temp folder at the root of C:\
Type the following command in Command Prompt:
DEL /F /Q C:\temp
Deleting the contents of the Windows Temp folder
Type the following command in Command Prompt:
DEL /F /Q C:\WINDOWS\Temp
Deleting the contents of the xfer and/or xfer_temp directories
Type the following command in Command Prompt:
Windows 2000/XP/2003:
SEP 11.x
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"
SEP 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer\"
Windows Vista/7/2008:
SEP 11.x
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"
SEP 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer\"
The Quarantine Folder
Note: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.
Delete the Quarantine Folder
Type the following commands in the Command Prompt:
Windows 2000/XP/2003:
SEP 11.x
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
SEP 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
Windows Vista/7/2008:
SEP 11.x
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"
SEP 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
Recreate the Quarantine Folder
Type the following commands in the Command Prompt:
Windows 2000/XP/2003:
SEP 11.x
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
SEP 12.1
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
Windows Vista/7/2008:
SEP 11.x
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"
SEP 12.1
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
Start the Symantec Endpoint Protection
1. Click Start, then Run
2. Type: smc -start
3. Click OK
NOTE: It is important to recognize that there are applications, such as Windows Indexing Service, that routinely attempt to touch each file.
Other known applications are Backup applications. In these cases, if that application can make an exclusion for *.DWH, it is strongly advised to implement that exclusion.