Hello,

I'm using Symantec Endpoint Protection 12.1.5 build 5337, provided by my university. I've recently encountered a problem, and came to ask for assistance.

I searched for information on a similar problem, but I mainly found people that had had issues with symantec finding dwh .tmp files and labeling them as viruses. I have a slightly different problem; Symantec keeps finding Trojan.Gen.2 viruses that are all instantly quarantined, and all named dwh****.dll - for example, dwh1575.dll. 

I understand there have been some problems with Symantec detecting viruses during definition updates in the past years according to some forum posts, but now that it's 2015, is the problem something else? The original location of these files, according to the virus reports, is indeed Symantec/DefWatch.DWH/ 

I have run RogueKiller and Symantec full scans and neither could find any issues. However, I keep getting the dll virus reports several times a day, which makes me feel somewhat uneasy.

I attached a screenshot of my quarantine that shows some of the file names. If there is anything else I can provide that would help you look into my problem, just let me know.

Thanks in advance.

DWH*.tmp files are created and detected when quarantine is scanned with new virus definitions

Thanks for the reply.

I understand. However, this flood of infected files is NOT a flood of .tmp files, but of .dll files. Furthermore, it only started recently, 2 days ago, and I am using the latest version of Symantec.

I am still a little worried about this, and wonder if there is anything I could do.

Try to run symhelp tool

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

http://www.symantec.com/business/support/index?page=content&id=TECH215519

Run the Symantec Help diagnostic tool to collect and send data for a Symantec Support case

http://www.symantec.com/business/support/index?page=content&id=TECH203533

Run the risk analysis tool

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

"Defwatch" scans items in quarantine to check if they can be repaired with newly downloaded content. Does it help if you disable these scans?

Virus and Spyware Protection policy > Quarantine > When New Virus Definitions Arrive >
Do nothing

This is a known issue and has been since the easryl days of SEP. You can manually delete those files as they are likely false positives. Steps to delete are in this article:

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

Thank you for your comments, everyone.

I have taken heed and attributed the .dll detections to also be false positives, even though I maintain that they are not .tmp files as is stated in Brian's article or any other resources, which puzzles me - why have I not seen or heard anyone talk of .dll files in this context? Oh well, I take it they fall in the same category, as the rest of the details match.

I have run the SymHelp tool. It did not detect many issues, but I took care of the ones it suggested - mainly a few registry entries related to autorun and such. I haven't gotten any more reports in the last 12-24 hours - knock on wood. I hope this solved it. If not, I'll read more on deleting the DWH files manually - even if the instructions were for .tmp files, and not .dll.

Thanks again!