Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Still Infected Machines not clearing after a full system scan

Created: 10 Feb 2013 • Updated: 17 Feb 2013 | 6 comments
This issue has been solved. See solution.

Hi All,

I have an issue with 3 machines on my network. They are constantly re-appearing as Still Infected Machines for the past three 3 weeks even after a full system scan in safe mode. 

Symptom: Repeated detection of DWHxxxx.tmp as a threat when a Defwatch scan runs on Quarantined items.

Symptoms
Infected DWH***.tmp files are detected in the user profile temp directory by AutoProtect.

I understand that SEP 12 RU 2 will fix this issue but Im still on SEP 12 RU 1. In the meantime how do I get rid of this issue?

I am not comfortable with disabling the quarantine scan on virus definition update.

  • I was thinking of manually deleting the contents of the Quarantine folder on the infected machine(Locate the Quarantine folder ,open it and delete everything inside that folder), but I am not sure if that will solve the issue.
  • Delete everything in temp folders.

Any suggestions on how to resolve these Still infected machines/Newly infected machines.

Thank you

Comments 6 CommentsJump to latest comment

Ashish-Sharma's picture

hi,

Check jim shock Comments

Is your SEP managed by Symantec? If so, you may not be able to add Exceptions.

These instructions apply to Vista and above - for older operating systems, the folder is under Documents and Settings\<username>\local settings\application data\Symantec.

One problem is that the folder used to rescan Quarantine files is created and deleted each time - so it does not exist normally - and the Exceptions UI only alllows existing folders to be added. You can add an exception for ProgramData\Symantec\* - but this may be too broad.

1. Navigate into ProgramData\Symantec

2. Create a new folder - DefWatch.DWH

3. Open the SEP main UI -> Change Settings -> Exceptions -> Configure Settings

4. Add -> Security Risk Exception -> Folder

5. Navigate and select the ProgrramData\Symantec\DefWatch.DWH folder, click OK

6. Click Close

7. You can now delete the DefWatch.DWH folder - or it will be automatically deleted after the next Quarantine rescan,

Check this thread

https://www-secure.symantec.com/connect/forums/sep-121-and-dwhtmp-files-0

Thanks In Advance

Ashish Sharma

SebastianZ's picture

How a look at the following KB:

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

...it provides workarounds for cleaning the files from the temp folders and cleanup of the quarantine. One othere possibility is to set the exlusions for .dwh files.

Eyal's picture

Hi

Yes SEP is managed by SEPM and I have just configured the scan to do nothing when new Virus Definitions arrives and I will see how that go.

Now will the Still Infected and Newly Infected machines dissapear as it is the same 3 machines or I have to create exclusions for the  DWH file?

Thank you

SebastianZ's picture

Normally the management server should reset the Still Infected Status for the SEP client once the computer is no longer infected. Let's see if you see any new infections reported after the setting change.

Mithun Sanghavi's picture

Hello,

Follow the Steps provided in the Article below:

tmp file (DWH*****.tmp) detected as  Trojan.Gen or Trojan.Gen.2 by Corp products 

http://www.symantec.com/business/support/index?page=content&id=TECH102953

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

Based on the severity of the detections, there are some known workarounds that should resolve the issue. These are listed in order of preference:

  1. Disable rescanning of the local quarantine upon receipt of new virus definitions.
    1. Open the Antivirus and Antispyware policy > Windows Settings > Quarantine > General

    2. Under "When New Virus Definitions Arrive" choose Do nothing".
      In SEP 12.1 versions, this policy will be called Virus and Spyware Protection and Quarantine will be under Advanced Options.

2. Limit the size of the Quarantine folder.

  1. In the right-hand panel, on the Cleanup tab, under Quarantined Files, check Enable automatic deleting of quarantined files that could not be repaired (default: Delete after 30 days) and Delete oldest files to limit folder size at: (default 50 MB).

3. Click Ok and, if needed, assign the policy.

4. Ensure that no processes or services (such as Windows Indexing Service for example) can access or monitor SAVCE or SEP files.

5. Ensure that the "%TEMP%" folder is not open when virus definitions are updated.

6. Restart in safe mode, delete *.DWH files in the temporary folder, and empty the quarantine folder

Refernce: When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

To clear the SEPM status try to truncate the database transactions logs and rebuild indexes.

If possible repair the SEPM .

.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SOLUTION