Endpoint Protection

Hi All,

I'm having problem with the SEP 11.0.6 (SEP 11 MR6) which is filling up my C:\ProgramData\Application Data\Symantec\Symantec Endpoint Protection\Quarantine directory, it is now up to 700 MB and still growing.

here's the warning message that keeps popping up:

Hi there,

WIth the latest version you should not get this to be honest. Find the useful article below:
DWH***.tmp files are detected in the user profile temp directory.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009021612410648
 
DWHxxx.tmp file is created and detected by Auto-Protect
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111911135548


Some suggestion:
-Uninstalled SEP and reboot
-Uninstall LiveUpdate
-Remove the Symantec folders including C:\Program Files\Symantec, C:\Program Files\Common Files\Symantec Shared
-Remove C:\Program Data or Program Files\Symantec.
-Install a clean copy of SEP RU6a and reboot.

Should be fine.

Hope that helps.

Moin

thanks for the reply man, but how to delete those quarantined files company wide ?
some of the computer in my company got problem of low disk space and this is using SEP 11.0 MR6 not with the MR6a

You can manage the disk space used by the quarantine folder by using AV/As policy.In quarantine tab of this policy there is option for limiting the disk space usage.try it....

If you are facing same problem in many systems it may be because of the presence of a network threat.You can use risk tracer to identify the problematic system in your network.Refer this article and KB
Best practices for troubleshooting viruses on a network
Worms and threats that spread across networks by network shares have become more common in recent years.--Like Downadup/Conficker

ok, does the new 11.06a or SEP 11 MR6a helps to fix this problem ?

clear all the temp directory files;
quarantine folde will not have any access; so add your account to that folder
delete whatever is in there; observe for a day ; check if it appears again

It was supposed to be fixed in RU5, but wasn't. We see this exact same issue and wound up just implementing a centralized exception on *.tmp in the Quarantine directory. This breaks the loop.

1) Open Symantec Endpoint Protection Manager
2) Goto Policies
3) Select Antivirus and Antispyware Policy
4) Select Quarantine
5) Click on the Cleanup Tab
6) Under Quarantined Files check mark "Delete oldest file  to limit folder Size at ( X ) MB (Instead of X mentioned the Size of Quarantine Folder you would like to use)

While deleting the files from quarantine folder, also make sure that there is option unchecked. which enables scan after downloading definitions.

We are having this same issue on version: 11.0.605.562
We just purchased Endpoint 2 weeks ago.  I've installed it now on nearly 600 computers.  This is a clean install on all the PC's, not an upgrade.
Virtually every computer has these same pop-ups.  Some drastically worse than others. 
My computer this morning had over 6,000 new items found last night.  I'm running Windows 7 x86.  They were all found in: C:\users\dtaylor\AppData\Local\Temp\DWH***.tmp
Sometimes there is a Temporary Browser cache file associated with it.  Most of the time there is not.

This is happening on Windows 2000, XP, Server 2003, and Windows 7 computers.
The "virus" is being reported back as Trojan.Gen.



I have checked the folders recommended in the several threads discussing this issue, and they are all empty.   I have done this on nearly a dozen of the affected computers.  Uninstalling a product on 600 computers, and re-installing it is not really an option.  Especially after it is a brand new product we just installed cleanly over the last 14 days. 
Please advise.

Thanks Taylor for sharing your experience here,

I thought that I'm the only one here.

according to the following article:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111911135548
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009021612410648

they said that this problem is fixed in Maintenance Patch 2 of Symantec Endpoint Protection Maintenance Release 4 (11.0.4202.75). You can apply this patch over Symantec Endpoint Protection MR4 or MR4 MP1.

but somehow I'm now using 11.0.6000.550

Hi Brooks,

Can you please provide an example of how to exclude .tmp files in just the Quarantine directory?

I have XP and Windows 7 machines, 32 and 64 bit and am not sure on how to create the rule.

I know how to create an exception for a folder, but not how to specify an extension in that folder.

Thanks,

-Mike

p.s. Do standard Windows Env variables work in the folder path? i.e. %AllUsersProfile%

SEP only supports a subset of ENV Variables as indicated in the exception form. 

For Desktops, we exempt [COMMON_APPDATA]\Symantec\Symantec Endpoint Protection\xfer and this has reduced our false positive Outbreak Alerts to near zero.

I misspoke on excluding extensions, you can only do that at the highest level.

Very helpful!

One thing that I did was naviagte to the quarantine folder and added myself to it and gave full rights. Now I was able to open and delete all files in there. Then I removed my rights once finished.

I also set the quarantine to delete after 1 day. It's not in our policy to quarantine, although some things still do ??

it's not pretty but it works for me.

After fighting with this for about a week now, I decided to take a bit more of a drastic approach.
I wrote a bat file to delete all files that start with DWH with an extension of .tmp on the C drive.
I did this to my computer yesterday.  There were tens of thousands of files, all located in different temporary directories, and all somehow related to Symantec.

This morning when I came in, my computer had no pop-ups.  However, when I ran the bat file again, there were another 20 files or so created in the C:\Users\dtaylor\Appdata\Local\Temp folder.

I have now changed my policies so that all viruses are deleted on contact first, then quarantined if delete fails.
I also changed my quarantine policies so that no files are kept more than 2 days.

I'll check again in the morning to see if more tmp files are created.  If so, and these files are going to continue to trigger more pop-ups we really need to get a resolution to this because running a bat file that deletes all DWH***.tmp files in the C drive as a logon script, which takes 5-30 minutes to run every morning isn't a reasonable way of doing it.

This problem should've been resolved in SEP 11 MR6 MP1