Endpoint Protection

I think a picture are worth a 1000 words on this one:

SEP attacking itself? huh? 

SEP version 12.1.5 (12.1 RU5) Build 5537 (12.1.5337.5000).

Virus Definitions: Jan 24, 2016 R2

Windows Server 2012 R2 (fully patched).

I noticed some of the text was a little hard to read in the screenshot so:

File it things is a virus:

c:\programdata\symantec\defwatch.dwh\dwh9f5.exe

In event viewer: 

Security Risk Found!Trojan.Gen.2 in File: c:\programdata\symantec\defwatch.dwh\dwh9f5.exe by: Scheduled scan.  Action: Clean failed : Quarantine failed.  Action Description: The file was left unchanged.

umm not even a single reply.....wow

This post was just published now so no one could see it.

Now, go through this article:

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

It's likely a false positive and has been a known issue for a long time now.

Hi Ncage1974,

There are no shortage of public articles and posts about this known behavior.  Follow the advice therein.

A similar issue:

Virus being detected in the quarantine folder of the Symantec Endpoint Protection client APQ*.tmp
Article URL: http://www.symantec.com/docs/TECH167254

I recommend configuring SEP to delete the malware that it encounters.  There's little point in storing quarantined files forever, unless you have spare disk space that you're determined to use.

With thanks and best regards,

Mick