Endpoint Protection

 View Only

  • 1.  SEP W97M.Downloader DefWatch

    Posted Jan 19, 2016 06:04 AM

    I keep getting mulitple detections in for clients for 'W97M.Downloader which seem to be in a bit of a loop in that they are being picked up via DefWatch but keep coming back out of quarentine each day when the definition file is updated.

     

    Im running RU5 on the clients and wondered if this is a known problem with that particular client version.

     

    My work around is to delete the quarentine files and the defwatch folder at the same time which is a real pain!



  • 2.  RE: SEP W97M.Downloader DefWatch

    Posted Jan 19, 2016 06:06 AM

    This is likely a known issue, see this article for the info:

    When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

    http://www.symantec.com/docs/TECH102953



  • 3.  RE: SEP W97M.Downloader DefWatch

    Posted Jan 19, 2016 06:20 AM

    Cheers Brain thats a great link.  Looks like a policy tweak then for now!



  • 4.  RE: SEP W97M.Downloader DefWatch

    Posted Jan 19, 2016 06:41 AM

    Defwatch is a known error, and i believe you might have upgraded from SEP 11.x to SEP 12.1.x. if yes, then I would suggest you to perform a cleanwipe on the machine and then install SEP 12.1.5 or later as this will work better.



  • 5.  RE: SEP W97M.Downloader DefWatch

    Broadcom Employee
    Posted Jan 20, 2016 12:52 PM

    Hi,

    Defwatch related issue & W97M.Downloader are two different issues.Do you notice that DWH*.tmp files are created and flagged as malicious by Auto-Protect in Symantec Endpoint Protection (SEP)? What's the exact error message or alerts are you receiving? If possible post the screen-shot.

    Here is similar thread as well: http://www.symantec.com/connect/forums/w97mdownloader-security-risk

    W97M.Downloader - Removal:- https://www.symantec.com/security_response/writeup.jsp?docid=2014-110100-2117-99&tabid=3