Video Screencast Help

Symantec AntiVirus Detection Results -Trojan.gen

Created: 02 Apr 2013 | 6 comments

For a little over a week I have been getting a pop up "Symantec AntiVirus Detection Results" and its displaying a long list of Trojan.gen risks.  Its saying the risks are quarantined but when I delete them through actions, more just keep coming.  The filenames are continous in a way, also. For example: DWHF08F.tmp; DWHDD0.tmp; DWH2354.tmp, etc.  These seems unusual considering I have never seen a message like this, and it just keeps coming after closing the window - it pops back up.

 

 

Operating Systems:

Comments 6 CommentsJump to latest comment

.Brian's picture

This is a known issue. What version of SEP are you on?

Related KB articles are here:

 

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

Article:TECH102953  |  Created: 2007-01-19  |  Updated: 2012-07-10  |  Article URL http://www.symantec.com/docs/TECH102953

 

Defwatch temp files are re-detected in temp folder

Article:TECH138856  |  Created: 2010-08-31  |  Updated: 2012-04-27  |  Article URL http://www.symantec.com/docs/TECH138856

 

I would suggest upgrading to the latest version of SEP as this has been improved and hopefully minimised.

If you're on SEP 12.1 make sure to upgrade to the latest release, 12.1.2

Repeated detection of DWHxxxx.tmp as a threat
Fix ID: 2718341
Symptom: Repeated detection of DWHxxxx.tmp as a threat when a Defwatch scan runs on Quarantined items.
Solution: Increased Defwatch scan performance and moved the temporary extraction folder from %TEMP% to Application Data to avoid conflicts with Windows Search Indexer.
 
Reference: New fixes and enhancements in Symantec Endpoint Protection 12.1 Release Update 2
 
Check this similar thread and the post by Mithun Sanghavi as he shows how to delete manually:
 
https://www-secure.symantec.com/connect/forums/why-it-so-difficult-get-rid-ofwork-qsp-files

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Hi glock30,

Don't worry- that is not a new infection, but an alert that is triggered in certian circumstances upon files already quarantined.  Please upgrade to the latest available release of SEP, where improvements in the code minimize the occurance of those alerts. 

With thanks and best regards,

Mick

With thanks and best regards,

Mick

Mithun Sanghavi's picture

Hello,

This issue seems to be resolved as I haven't come across any of such cases with Symantec Endpoint Protection 12.1 RU2 detecting DWH###.TMP files

tmp file (DWH*****.tmp) detected as Trojan.Gen or Trojan.Gen.2 by Corp products

http://www.symantec.com/business/support/index?page=content&id=TECH102953

The Actual cause was with SEP 11 where the files were created by the Symantec Endpoint Protection or Symantec AntiVirus Quarantine scan. This scan is normally initiated by a virus definition update.

The quarantine scan on virus definition update can be disabled: edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".

There are also several known methods to work around the issue:

  • The quarantine scan on virus definition update can be disabled in the  Symantec Endpoint Protection Manager (SEPM): edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
  • Items in quarantine can be deleted.
  • If the indexing service is enabled it could be triggering the issue when the dwh***.tmp files are indexed.
  • Investigate other applications that are scanning the temp file for changes.

Check this Thread:

http://www.symantec.com/connect/forums/sep-121-and-dwhtmp-files

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

It happens in 12.1 as well, just not a prevalent. I have a few clients with this issue.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi,

These detections do not indicate a new outbreak of a threat.  The .tmp files are created by the Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV) Quarantine scan. The scan is normally initiated by a virus definition update.

DWH***.tmp files are detected in the user profile temp directory

http://www.symantec.com/docs/TECH92399

According to the fix notes of latest SEP version i.e. SEP 12.1 RU2, issue is resolved with this release.

Repeated detection of DWHxxxx.tmp as a threat
Fix ID: 2718341
Symptom: Repeated detection of DWHxxxx.tmp as a threat when a Defwatch scan runs on Quarantined items.
Solution: Increased Defwatch scan performance and moved the temporary extraction folder from %TEMP% to Application Data to avoid conflicts with Windows Search Indexer.
 
Reference: New fixes and enhancements in Symantec Endpoint Protection 12.1 Release Update 2
 
Check this thread: https://www-secure.symantec.com/connect/forums/sep-121-and-dwhtmp-files-0#comment-8239401

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<