What is the version of SEP you are running?
Please upgrade to the latest version RU6MP2 as this issue is fixed.
http://www.symantec.com/docs/TECH102953
The issue of multiple DWHxxx.tmp files being created and retained has been resolved in Symantec Endpoint Protection Release Update 6, Maintenance Patch 1 (RU6 MP1, 11.0.6100.645). You can apply this patch over Symantec Endpoint Protection Release Update 6 (RU6, 11.0.6000.548) or Release Update 6a (RU6a, 11.0.6005.562).
If you are unable to migrate up at this time, here are workarounds that should alleviate the issue. These are listed in order of preference.
A) Single Systems:
- Disable rescanning of the local quarantine upon receipt of new virus definitions: edit the following policy components -
Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
- Ensure no process or services (such as Windows Indexing Service for example) can access/monitor SAVCE/SEP files.
- Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
- Restart in safe mode, deleting *.DWH files in the temporary folder, cleaning the quarantine folder.
B) For a network with multiple affected systems
- Open Symantec Endpoint Protection Manager
- Go to Policies
- Select Antivirus and Antispyware Policy
- Select Quarantine
- Click on the Cleanup Tab
- Under Quarantined Files check mark "Delete oldest file to limit folder Size at ( X ) MB (Instead of X mentioned the Size of Quarantine Folder you would like to use)
You can also refer to the following KB for a few more details because we have seen multiple issues (DWH and Xfer), so using both documents should help.
"Large amounts of temp files are being created in the xfer_tmp or 7.5/xfer folder and are being detected as threats."
http://service1.symantec.com/support/ent-security.nsf/docid/2009042217073548