W32.Toal.A@mm

http://www.symantec.com/security_response/writeup.jsp?docid=2001-102316-5116-99&tabid=2

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/business/support/index?page=content&id=TECH102953&locale=en_US

Deleting files from User Temp folder
Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:

Windows 2000/XP/2003:
DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"

Windows Vista/7/2008:
DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"

Deleting the contents of the temp folder at the root of C:\

Type the following command in Command Prompt:
DEL /F /Q C:\temp

Deleting the contents of the Windows Temp folder

Type the following command in Command Prompt:
DEL /F /Q C:\WINDOWS\Temp

Deleting the contents of the xfer and/or xfer_temp directories
Type the following command in Command Prompt:

Windows 2000/XP/2003:
SEP 11.x
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

SEP 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer\"

Windows Vista/7/2008:
SEP 11.x
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

SEP 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer\"

The Quarantine Folder
Note: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

Delete the Quarantine Folder
Type the following commands in the Command Prompt:

Windows 2000/XP/2003:
SEP 11.x
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"

SEP 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"

Windows Vista/7/2008:
SEP 11.x
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"

SEP 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"

Recreate the Quarantine Folder
Type the following commands in the Command Prompt:

Windows 2000/XP/2003:
SEP 11.x
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"

SEP 12.1
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"

Windows Vista/7/2008:
SEP 11.x
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"

SEP 12.1
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"

Start the Symantec Endpoint Protection

1. Click Start, then Run
2. Type: smc -start
3. Click OK

NOTE: It is important to recognize that there are applications, such as Windows Indexing Service, that routinely attempt to touch each file.
Other known applications are Backup applications.  In these cases, if that application can make an exclusion for *.DWH, it is strongly advised to implement that exclusion.

Hi Nagesh,

"Thumbs up" to the above.  Thse are not current infections, but files already in your quarantine.  It is a SEP product issue, largely overcome by updating to the latest release of SEP.

Please do delete your quarantined files, upgrade your SEP clients, and ensure that your computers are well defended against any malicious code currently in circulation!  These links will help. 

DWH***.tmp files are detected in the user profile temp directory.
Article URL http://www.symantec.com/docs/TECH92399

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0 
 

Thanks for the update.  Yes, this product issue is for the Temp directory.  Detections of files with names that begin with DWH in that Temp location are teh symptom for this issue.

Hi Nagesh,

I recommend upgrading both SEPM and SEP clients to SEP 11 RU7 MP2.  Treat these DWH "detections" as a "known issue" until your upgrade is complete. 

Many thanks once again!

Hello,

I agree with the Above comments.

Check this Article:

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953