SEP 12.1 and the DWH###.TMP files
Updated: 22 Aug 2011 | 5 comments
Hi,
I was wondering if anyone has come across this issue where endpoint 12.1 is scanning and quarrantining the temp files with the names that start with DWH
I did some looking around but everything that I have seen is related to SEP 11 RU6 and was said to be fixed in the RU6 MR2 update.
I had to go in on one machine and manually removed all these temp files. But seeing as it's starting to show up on other clients as well is there a fix for it? or is one comming?
Discussion Filed Under:
Comments
Have not come across
Hello,
This issue seems to be resolved as I haven't come across any of such cases with Symantec Endpoint Protection 12.1 detecting DWH###.TMP files
Was this SEP 12.1 clients upgraded from SEP 11??
http://www.symantec.com/docs/HOWTO55365
The Above Article, speaks on how to clear disk space before upgrading the SEP 11 to SEP 12.1.
The Actual cause was with SEP 11 where the files were created by the Symantec Endpoint Protection or Symantec AntiVirus Quarantine scan. This scan is normally initiated by a virus definition update.
The quarantine scan on virus definition update can be disabled: edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | SCTS | ITIL v3
Follow me on Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helped yo
Yes the machines where
Yes the machines where upgraded from SEP 11.
I know we are rolling this out to some other clients as well, so I will double check to be sure that most of those users have nothing in the quarantine
There back
Well these dwh files are back again and on a machine that we have cleaned them off of.
Any reason why they are back? or why they showed up in the first place?
Computer
User
IP Address
Risk
Risk Type
Risk Count
Date Time
Group
Action
Source
File / Entry
MOCOWS07
SYSTEM
192.168.1.104
Bloodhound.MalPE
Malware
1
08/29/2011 08:55:54
My Company\MOCO Computers
Quarantined
Scheduled scan
c:\documents and settings\jcormier\local settings\temp\dwh101e.tmp
MOCOWS07
SYSTEM
192.168.1.104
Trojan.Gen
Malware
1
08/29/2011 08:55:52
My Company\MOCO Computers
Quarantined
Scheduled scan
c:\documents and settings\jcormier\local settings\temp\dwh101d.tmp
MOCOWS07
SYSTEM
192.168.1.104
Bloodhound.MalPE
Malware
1
08/29/2011 08:55:50
My Company\MOCO Computers
Quarantined
Scheduled scan
c:\documents and settings\jcormier\local settings\temp\dwh101c.tmp
MOCOWS07
SYSTEM
192.168.1.104
Bloodhound.MalPE
Malware
1
08/29/2011 08:55:48
My Company\MOCO Computers
Quarantined
Scheduled scan
c:\documents and settings\jcormier\local settings\temp\dwh101b.tmp
Problem is still there in 12.1
I just did a SEP 12.1 upgrade and I'm getting the same issue also.
At least on machines that were upgraded from v 11.
SEP 12.1 and the DWH###.TMP files
We have just had SEP 12.1 installed (not an upgrade) and we have a client bloodhound.malPE continually checking and finding DWH###. It seems to never stop. It is affecting the performance of the client's computer. Any thoughts?
Would you like to reply?
Login or Register to post your comment.