When the virus definitions are updated in the Symantec Endpoint Protection (SEP) client or the Symantec AntiVirus Corporate Edition (SAVCE) client, there is an option to "Rescan the Quarantine".
This enables the SAVCE/SEP client to inspect the files stored in the local quarantine and verify if any of them can be repaired with the updated AV signatures.
When the files were originally quarantined, they were compressed and encrypted to ensure that the stored version cannot continue to infect the local machine. Consequently, the SAVCE/SEP client must extract the original file(s) from this quarantine packaging before it can be re-scanned.
During this file extraction process, a temporary file - named DWHxxxx.tmp - is created in the working directory of the SAVCE/SEP client. This is typically within the "%App Data%\Symantec\" folder, but in certain older builds of SEP and SAVCE, it may also use the windows "%TEMP%" folder.
Normally, this temporary file will not be scanned by the SAVCE/SEP Auto Protect function because SEP is already handling the file, i.e. SEP knows that it owns the file. However, if a third-party process accesses that file while it is being created, the SEP Auto Protect function will intercept this file access and will declare the file as un-trusted because another process, possibly malicious, had accessed the file.
This will cause the file to be seen as a "new" file and un-trusted. Accordingly, the file will be scanned. This results in an already quarantined and infected file getting re-scanned. Additionally, it will be treated as a suspect file and quarantined, resulting in a duplicate file being added to the local quarantine.
Finally, as each definition set is received by the SEP or SAVCE client and the local quarantine is re-scanned, the above process repeats, and the contents of the local quarantine are doubled.