Endpoint Protection

 View Only

  • 1.  Infection of W32.Toal.A@mm

    Posted Oct 15, 2012 12:12 AM

    Dear All,

    We have found below Worms on one of the system. If we have gone through below infection path and could not find any file like (DWHEA2F.tmp) but in Risk log this are appear again and again.

    Can you please tell me how I can fix it?


    W32.Toal.A@mm  C:\Users\abc\AppData\Local\Temp\DWHEA2F.tmp
    W32.Toal.A@mm  C:\Users\abc\abc\AppData\Local\Temp\DWH5FFA.tmp
    W32.Toal.A@mm  C:\Users\abc\AppData\Local\Temp\DWHA039.tmp
     



  • 2.  RE: Infection of W32.Toal.A@mm

    Posted Oct 15, 2012 12:23 AM

    W32.Toal.A@mm

    http://www.symantec.com/security_response/writeup.jsp?docid=2001-102316-5116-99&tabid=2

    When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

    http://www.symantec.com/business/support/index?page=content&id=TECH102953&locale=en_US

     

    Deleting files from User Temp folder
    Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:

    Windows 2000/XP/2003:
    DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"

    Windows Vista/7/2008:
    DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"


    Deleting the contents of the temp folder at the root of C:\

    Type the following command in Command Prompt:
    DEL /F /Q C:\temp

    Deleting the contents of the Windows Temp folder

    Type the following command in Command Prompt:
    DEL /F /Q C:\WINDOWS\Temp

    Deleting the contents of the xfer and/or xfer_temp directories
    Type the following command in Command Prompt:


    Windows 2000/XP/2003:
    SEP 11.x
    DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
    DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

    SEP 12.1
    DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer_tmp\"
    DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer\"

    Windows Vista/7/2008:
    SEP 11.x
    DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"
    DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

    SEP 12.1
    DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer_tmp\"
    DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer\"


    The Quarantine Folder
    Note: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

    Delete the Quarantine Folder
    Type the following commands in the Command Prompt:

    Windows 2000/XP/2003:
    SEP 11.x
    DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
    RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"

    SEP 12.1
    DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
    RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"

    Windows Vista/7/2008:
    SEP 11.x
    DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"
    RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"

    SEP 12.1
    DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
    RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"

     

    Recreate the Quarantine Folder
    Type the following commands in the Command Prompt:

    Windows 2000/XP/2003:
    SEP 11.x
    MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"

    SEP 12.1
    MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"

    Windows Vista/7/2008:
    SEP 11.x
    MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"

    SEP 12.1
    MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"

     

    Start the Symantec Endpoint Protection

    1. Click Start, then Run
    2. Type: smc -start
    3. Click OK

     

    NOTE: It is important to recognize that there are applications, such as Windows Indexing Service, that routinely attempt to touch each file.
    Other known applications are Backup applications.  In these cases, if that application can make an exclusion for *.DWH, it is strongly advised to implement that exclusion.



  • 3.  RE: Infection of W32.Toal.A@mm

    Posted Oct 15, 2012 04:32 AM

    Hi Nagesh,

    "Thumbs up" to the above.  Thse are not current infections, but files already in your quarantine.  It is a SEP product issue, largely overcome by updating to the latest release of SEP.

    Please do delete your quarantined files, upgrade your SEP clients, and ensure that your computers are well defended against any malicious code currently in circulation!  These links will help. 

    DWH***.tmp files are detected in the user profile temp directory.
    Article URL http://www.symantec.com/docs/TECH92399

    http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0 
     



  • 4.  RE: Infection of W32.Toal.A@mm

    Posted Oct 15, 2012 06:21 AM

    Dear Mick2009,

    But my infection path is not a Quarantind path.I have mention the Path below.

    C:\Users\abc\AppData\Local\Temp\DWHEA2F.tmp



  • 5.  RE: Infection of W32.Toal.A@mm

    Posted Oct 15, 2012 06:28 AM

    Thanks for the update.  Yes, this product issue is for the Temp directory.  Detections of files with names that begin with DWH in that Temp location are teh symptom for this issue.



  • 6.  RE: Infection of W32.Toal.A@mm

    Posted Oct 15, 2012 06:40 AM

    Thanks  Mick2009,

    My client version is 11.0.6200.754 and my SEPM server version is SEP RU7.

     

    So Please let us know how I can fix this issue?

     

     



  • 7.  RE: Infection of W32.Toal.A@mm

    Posted Oct 15, 2012 06:45 AM

    Hi Nagesh,

    I recommend upgrading both SEPM and SEP clients to SEP 11 RU7 MP2.  Treat these DWH "detections" as a "known issue" until your upgrade is complete. 

    Many thanks once again!



  • 8.  RE: Infection of W32.Toal.A@mm

    Trusted Advisor
    Posted Oct 15, 2012 09:48 AM

    Hello,

    I agree with the Above comments.

    Check this Article:

    When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

    http://www.symantec.com/docs/TECH102953

    Hope that helps!!


  • 9.  RE: Infection of W32.Toal.A@mm

    Posted Oct 16, 2012 12:21 PM

    Latest Symantec Endpoint Protection Releases - SEP 12.1 RU1 MP1 and SEP 11.0. RU7 MP2

    https://www-secure.symantec.com/connect/articles/latest-symantec-endpoint-protection-releases-sep-121-ru1-mp1-and-sep-110-ru7-mp2

     

    This link help to find the latest fix avail in  SEP 11.0. RU7 MP2