Endpoint Protection

 View Only

  • 1.  Risk associated with not rescanning quarantine folder after update

    Posted Mar 29, 2011 10:04 AM

    Hello all

     

    Getting real sick of sorting through DWH*.tmp reports to find actual risks as are my local support people. I am considering trying this solution:

    If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:

    Disable re-scanning of quarantine files.

    From the SEP-Manager:
    - Edit the Antivirus and Antispyware policy of affected clients.
    - In the policy editor click "Quarantine" on the left-hand menu.
    - On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

     

    Why does it rescan the quarantine folder anyway?

    Is there a risk if I set this to 'Do nothing'?



  • 2.  RE: Risk associated with not rescanning quarantine folder after update

    Trusted Advisor
    Posted Mar 29, 2011 10:22 AM

    SEP rescans the quarentine folder after it updates the definitions so it can check if there has been a fix put in that download for any existing quarentined viruses.

    What current SEP version are you on as the DWH*.twp issue was mostly rectified with the release of RU6 MP2. Since upgrading we haven't seen any of our users with this issue.



  • 3.  RE: Risk associated with not rescanning quarantine folder after update

    Posted Mar 29, 2011 10:34 AM

    So Symantec keeps telling me, I'm using RU6 MP2 and still getting these excessivly there is a fix apparently but I am reluctant to delete stuff off of clients.



  • 4.  RE: Risk associated with not rescanning quarantine folder after update

    Posted Mar 29, 2011 10:54 AM

    I use this option as well set my quarantine to delete after 1 day.

    But I also have the mindset of it was infected so it cannot be fixed, period.

    This may not work for some companies though.



  • 5.  RE: Risk associated with not rescanning quarantine folder after update

    Trusted Advisor
    Posted Mar 29, 2011 12:56 PM

    Hello,

    Cause

    When the virus definitions are updated in SEP, there is an option to "Rescan the Quarantine". This enables the SEP client to inspect the files stored in the local quarantine and verify if any of them can be repaired with the updated AV signatures. When the files were originally quarantined, they were compressed and encrypted to ensure that the stored version cannot continue to infect the local machine. Consequently, the SEP client must extract the original file(s) from this quarantine packaging before it can be re-scanned.

    During this file extraction process, a temporary file - named DWH####.tmp - is created in the working directory of the SEP client. This is typically within the "%App Data%\Symantec\" folder, but in certain older builds of SEP it may also use the windows %TEMP% folders. Normally, this temporary file will not be scanned by the SEP Auto Protect function because SEP is already handling the file, i.e. SEP knows that it owns the file. However, if a third-party process accesses that file while it is being created, the SEP Auto Protect function will intercept this file access and will declare the file as un trusted because another process, possibly malicious, had accessed the file.

    This will cause the file to be seen as a "new" file and untrusted. Accordingly, the file will be scanned.  This results in an already quarantined and infected file getting re-scanned.  Accordingly, it will be treated as a suspect file and quarantined, resulting in a duplicate file being added to the local quarantine.

    Finally, as each definition sets is received by the SEP client and the local quarantine is re-scanned, the above detailed process repeats and the contents of the local quarantine are doubled.

    Solution

    The issue of multiple DWH files being created and retained has been resolved in Symantec Endpoint Protection Release Update 6, Maintenance Patch 1 (RU6 MP1, 11.0.6100.645).  Apply this patch over Symantec Endpoint Protection Release Update 6 (RU6, 11.0.6000.548) or Release Update 6a (11.0.6005.562).

    If  unable to migrate at this time, here are workarounds that should resolve the issue. These are listed in order of preference. 

    A) Single Systems:

    1. Disable rescanning of the local quarantine upon receipt of new virus definitions: edit the following policy components -
      Antivirus and Antiphonaries policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
    2. Ensure no process or services (such as Windows Indexing Service for example) can access/monitor SAVE/SEP files.
    3. Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
    4. Restart in safe mode, deleting *.DWH files in the temporary folder, cleaning the quarantine folder.

    B) For a network with multiple affected systems

    1. Open Symantec Endpoint Protection Manager (SEPM)
    2. Select Policies
    3. Select Antivirus and Antispyware Policy
    4. Select Quarantine
    5. Click on the Cleanup Tab
    6. Under Quarantined Files check mark "Delete oldest file to limit folder Size at ( X ) MB (Instead of X mentioned the Size of Quarantine Folder normally selected.)

     



  • 6.  RE: Risk associated with not rescanning quarantine folder after update

    Posted Apr 04, 2011 10:25 AM

    Over and over again I am reading that this issue was fixed, how come I keep seeing this issue when both the clients and the server are 11.0.6200? The biggest offender is a group which is fully patched but still I get hundreds of reports with only a small handful of legitimate risks.



  • 7.  RE: Risk associated with not rescanning quarantine folder after update

    Trusted Advisor
    Posted Apr 04, 2011 01:11 PM

    Hello,

    I completely understand.

    It seems there is an issue. We are observing this Thread:

    https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

    Personally, I would recommend you is open a web case 

    QuickStart Guide - Create and Manage Support Cases in SymWISE

    http://www.symantec.com/docs/HOWTO31132

    How to update a support case and upload diagnostic files with MySupport

    http://www.symantec.com/docs/TECH71023

     

    Once, a case has been logged, provide us the case #.