Endpoint Protection

 View Only

  • 1.  SEP finding DW*.TMP files - Trojan.Gen

    Posted Jul 19, 2012 01:57 PM

    SEP keeps tripping on these files but scans find nothing? What is the problem?



  • 2.  RE: SEP finding DW*.TMP files - Trojan.Gen

    Posted Jul 19, 2012 02:12 PM

    https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

    Note the explanation by Ryan_Dasso

    You can also find a workaround by Mithun Sanghavi posted on the last page of this thread.

    Doing a search of the forum, you will also find other posts on it.



  • 3.  RE: SEP finding DW*.TMP files - Trojan.Gen

    Posted Jul 19, 2012 04:24 PM

    Disable Scanning of Quarantine when new Defs arrive or Upgrade clients to Ru7MP2 or SEP 12.1 Ru1 MP1.



  • 4.  RE: SEP finding DW*.TMP files - Trojan.Gen

    Posted Jul 19, 2012 04:52 PM

     

     

    Problem


    1. DWH files are created and flagged as malicious by Symantec Endpoint Protection's Auto-protect.

    2. Items in quarantine double every time new definitions arrive.

     

    When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

    http://www.symantec.com/docs/TECH102953

     
     


  • 5.  RE: SEP finding DW*.TMP files - Trojan.Gen

    Posted Jul 19, 2012 04:53 PM

     

    When the virus definitions are updated in the Symantec Endpoint Protection (SEP) client or the Symantec AntiVirus Corporate Edition (SAVCE) client, there is an option to "Rescan the Quarantine". 
    This enables the SAVCE/SEP client to inspect the files stored in the local quarantine and verify if any of them can be repaired with the updated AV signatures.

    When the files were originally quarantined, they were compressed and encrypted to ensure that the stored version cannot continue to infect the local machine.  Consequently, the SAVCE/SEP client must extract the original file(s) from this quarantine packaging before it can be re-scanned.

    During this file extraction process, a temporary file - named DWHxxxx.tmp - is created in the working directory of the SAVCE/SEP client. This is typically within the "%App Data%\Symantec\" folder, but in certain older builds of SEP and SAVCE, it may also use the windows "%TEMP%" folder. 

    Normally, this temporary file will not be scanned by the SAVCE/SEP Auto Protect function because SEP is already handling the file, i.e. SEP knows that it owns the file. However, if a third-party process accesses that file while it is being created, the SEP Auto Protect function will intercept this file access and will declare the file as un-trusted because another process, possibly malicious, had accessed the file.

    This will cause the file to be seen as a "new" file and un-trusted. Accordingly, the file will be scanned.  This results in an already quarantined and infected file getting re-scanned.  Additionally, it will be treated as a suspect file and quarantined, resulting in a duplicate file being added to the local quarantine.

    Finally, as each definition set is received by the SEP or SAVCE client and the local quarantine is re-scanned, the above process repeats, and the contents of the local quarantine are doubled.



  • 6.  RE: SEP finding DW*.TMP files - Trojan.Gen

    Posted Jul 19, 2012 11:45 PM

    Known issue.

    Hopefully will be fixed in upcoming version.



  • 7.  RE: SEP finding DW*.TMP files - Trojan.Gen

    Broadcom Employee
    Posted Jul 20, 2012 05:19 AM

    Hi,

    Please check this article

    DWH***.tmp files are detected in the user profile temp directory

    http://www.symantec.com/docs/TECH92399

    These detections do not indicate a new outbreak of a threat.  The .tmp files are created by the Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV) Quarantine scan. The scan is normally initiated by a virus definition update.

    There are also several known methods to work around the issue:

    • The quarantine scan on virus definition update can be disabled in the  Symantec Endpoint Protection Manager (SEPM): edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
    • Items in quarantine can be deleted.
    • If the indexing service is enabled it could be triggering the issue when the dwh***.tmp files are indexed.
    • Investigate other applications that are scanning the temp file for changes.

      I hope it helps.

     



  • 8.  RE: SEP finding DW*.TMP files - Trojan.Gen

    Broadcom Employee
    Posted Nov 15, 2012 06:29 AM

    Hello Everyone,

    According to the fix notes of latest SEP version i.e. SEP 12.1 RU2, issue is resolved with this release.

    Repeated detection of DWHxxxx.tmp as a threat
    Fix ID: 2718341
    Symptom: Repeated detection of DWHxxxx.tmp as a threat when a Defwatch scan runs on Quarantined items.
    Solution: Increased Defwatch scan performance and moved the temporary extraction folder from %TEMP% to Application Data to avoid conflicts with Windows Search Indexer.
     
    Reference: New fixes and enhancements in Symantec Endpoint Protection 12.1 Release Update 2