Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Quarantine directory filling up with false positives of temporary files detected as trojan ?

Created: 15 Jun 2010 | 18 comments

Hi All,

I'm having problem with the SEP 11.0.6 (SEP 11 MR6) which is filling up my C:\ProgramData\Application Data\Symantec\Symantec Endpoint Protection\Quarantine directory, it is now up to 700 MB and still growing.

here's the warning message that keeps popping up:

Scan type: Auto-Protect Scan

Event: Risk Found!
Security risk detected: Trojan Horse
File: C:\Users\Admin\AppData\Local\Temp\DWH6188.tmp
Location: C:\Users\Admin\AppData\Local\Temp
Computer: 7X86
User: Itree
Action taken: Pending Side Effects Analysis : Access denied
Date found: Tuesday, 15 June 2010  9:19:36 PM

I wonder how to delete this problem and avoid it later on in the future ?

Comments 18 CommentsJump to latest comment

Moin_Sobhan's picture

Hi there,

WIth the latest version you should not get this to be honest. Find the useful article below:
DWH***.tmp files are detected in the user profile temp directory.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009021612410648

 
DWHxxx.tmp file is created and detected by Auto-Protect
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111911135548

Some suggestion:
-Uninstalled SEP and reboot
-Uninstall LiveUpdate
-Remove the Symantec folders including C:\Program Files\Symantec, C:\Program Files\Common Files\Symantec Shared
-Remove C:\Program Data or Program Files\Symantec.
-Install a clean copy of SEP RU6a and reboot.

Should be fine.

Hope that helps.

Moin

Symanticus's picture

thanks for the reply man, but how to delete those quarantined files company wide ?
some of the computer in my company got problem of low disk space and this is using SEP 11.0 MR6 not with the MR6a

/* Infrastructure Support Engineer */

AravindKM's picture

You can manage the disk space used by the quarantine folder by using AV/As policy.In quarantine tab of this policy there is option for limiting the disk space usage.try it....

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

AravindKM's picture

If you are facing same problem in many systems it may be because of the presence of a network threat.You can use risk tracer to identify the problematic system in your network.Refer this article and KB
Best practices for troubleshooting viruses on a network

Worms and threats that spread across networks by network shares have become more common in recent years.--Like Downadup/Conficker

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

Symanticus's picture

ok, does the new 11.06a or SEP 11 MR6a helps to fix this problem ?

/* Infrastructure Support Engineer */

BrooksGarrett's picture

It was supposed to be fixed in RU5, but wasn't. We see this exact same issue and wound up just implementing a centralized exception on *.tmp in the Quarantine directory. This breaks the loop.

iamadmin's picture

Hi Brooks,

Can you please provide an example of how to exclude .tmp files in just the Quarantine directory?

I have XP and Windows 7 machines, 32 and 64 bit and am not sure on how to create the rule.

I know how to create an exception for a folder, but not how to specify an extension in that folder.

Thanks,

-Mike

p.s. Do standard Windows Env variables work in the folder path? i.e. %AllUsersProfile%

BrooksGarrett's picture

SEP only supports a subset of ENV Variables as indicated in the exception form. 

For Desktops, we exempt [COMMON_APPDATA]\Symantec\Symantec Endpoint Protection\xfer and this has reduced our false positive Outbreak Alerts to near zero.

I misspoke on excluding extensions, you can only do that at the highest level.

Rafeeq's picture

clear all the temp directory files;
quarantine folde will not have any access; so add your account to that folder
delete whatever is in there; observe for a day ; check if it appears again

Moin_Sobhan's picture

1) Open Symantec Endpoint Protection Manager
2) Goto Policies
3) Select Antivirus and Antispyware Policy
4) Select Quarantine
5) Click on the Cleanup Tab
6) Under Quarantined Files check mark "Delete oldest file  to limit folder Size at ( X ) MB (Instead of X mentioned the Size of Quarantine Folder you would like to use)

Raunak_Vaghela's picture

While deleting the files from quarantine folder, also make sure that there is option unchecked. which enables scan after downloading definitions.

Please Mark on the solution that worked for you.

DTaylor@checkintocash.com's picture

We are having this same issue on version: 11.0.605.562
We just purchased Endpoint 2 weeks ago.  I've installed it now on nearly 600 computers.  This is a clean install on all the PC's, not an upgrade.
Virtually every computer has these same pop-ups.  Some drastically worse than others. 
My computer this morning had over 6,000 new items found last night.  I'm running Windows 7 x86.  They were all found in: C:\users\dtaylor\AppData\Local\Temp\DWH***.tmp
Sometimes there is a Temporary Browser cache file associated with it.  Most of the time there is not.

This is happening on Windows 2000, XP, Server 2003, and Windows 7 computers.
The "virus" is being reported back as Trojan.Gen.

I have checked the folders recommended in the several threads discussing this issue, and they are all empty.   I have done this on nearly a dozen of the affected computers.  Uninstalling a product on 600 computers, and re-installing it is not really an option.  Especially after it is a brand new product we just installed cleanly over the last 14 days. 
Please advise.

Symanticus's picture

according to the following article:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111911135548

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009021612410648

they said that this problem is fixed in Maintenance Patch 2 of Symantec Endpoint Protection Maintenance Release 4 (11.0.4202.75). You can apply this patch over Symantec Endpoint Protection MR4 or MR4 MP1.

but somehow I'm now using 11.0.6000.550

/* Infrastructure Support Engineer */

Symanticus's picture

Thanks Taylor for sharing your experience here,

I thought that I'm the only one here.

/* Infrastructure Support Engineer */

.Brian's picture

One thing that I did was naviagte to the quarantine folder and added myself to it and gave full rights. Now I was able to open and delete all files in there. Then I removed my rights once finished.

I also set the quarantine to delete after 1 day. It's not in our policy to quarantine, although some things still do ??

it's not pretty but it works for me.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

DTaylor@checkintocash.com's picture

After fighting with this for about a week now, I decided to take a bit more of a drastic approach.
I wrote a bat file to delete all files that start with DWH with an extension of .tmp on the C drive.
I did this to my computer yesterday.  There were tens of thousands of files, all located in different temporary directories, and all somehow related to Symantec.

This morning when I came in, my computer had no pop-ups.  However, when I ran the bat file again, there were another 20 files or so created in the C:\Users\dtaylor\Appdata\Local\Temp folder.

I have now changed my policies so that all viruses are deleted on contact first, then quarantined if delete fails.
I also changed my quarantine policies so that no files are kept more than 2 days.

I'll check again in the morning to see if more tmp files are created.  If so, and these files are going to continue to trigger more pop-ups we really need to get a resolution to this because running a bat file that deletes all DWH***.tmp files in the C drive as a logon script, which takes 5-30 minutes to run every morning isn't a reasonable way of doing it.