Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Trojan Horse Detected by SEP 11 under a Closed Network

Created: 15 Nov 2012 • Updated: 15 Nov 2012 | 9 comments

Hi,

Recently SEP 11 has detected Trojan horse on 2 files in my client's Windows 2003 Server in a closed network. One of the file is named .opmndat in C:\product\10.1.3.1\OracleAS_1\opmn\logs\states which seems to be a log file created during Oracle Services start up. I tried to open the file with notepad and there is only a numerical string. It is already quarantined. Another is called DWH3.temp in C:\Windows\Temp which is no longer exist after the SEP alert.

Why such files could be detected a Trojan horse and how to prevent these alerts from SEP 11? Grateful if anyone can help. Thank you!

Cilei

Comments 9 CommentsJump to latest comment

.Brian's picture

What version of 11.x? This thread is similar:

https://www-secure.symantec.com/connect/forums/gen...

Is liklely a false positive

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

cilei's picture

Hi Brian,

Thanks for your prompt reply. The version is 11.0.7000.975. I am going through the thread.

Cilei

.Brian's picture

This is a known issue. Eac hnew version has improvements but I still believe this may be a false poositive.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mohan Babu's picture

Yes Brian81 

when will get a permanent fix for DWH.tmp False Positive.. Its a huge headache..........

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

cilei's picture

Hi Brian,

Is the same applies to the Oracle log file named '.opmndat' ?

Cilei

Mick2009's picture

Here's an official article on the subject:

DWH***.tmp files are detected in the user profile temp directory.
Article URL http://www.symantec.com/docs/TECH92399 
 

With thanks and best regards,

Mick

Mohan Babu's picture

Mick2009SYMANTEC EMPLOYEE

I agree with you but still there is no fix as per the documentationyou mentioned above.

Files re-detected during Defwatch scan

Fix ID: 2067778
Symptom: DWHxxxx.tmp files are being re-detected when Defwatch scan is running.
Solution: Fixed some scan issues, making the scan faster. Also created a separate folder to rescan Quarantine items that can be used to create exceptions.

But no fixes mentioned in the document and its crazy

On every release they updating the KB article stating that DWH.tmp issue has been improved in latest build in scan performance and all but nothing happens. and its showing as infection trojan.gen, trojan.gen2, trojan.maljava and all. people who using SEP getting scared because of this false positive. We need to fix this instead of going around do nothing and simple workaround not to scan quarantine when a new definitions arrives.

Expecting a permanent fix for this.

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

Mick2009's picture

Upgrading to SEP 12.1 will make a dramatic improvement.  Otherwise, it is safe to know that these DWH events under SEP 11 are a known issue.

With thanks and best regards,

Mick

Simpson Homer's picture

Please contact Support and have a case created and take proper assistance.

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000

India: Toll-Free 000 800 4401 456 directly

IDD call: +61 2 8220 7111

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Customer Care Contact Numbers for Licensing Issues:-

http://www.symantec.com/support/assistance_care.jsp

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Where to upload a suspected File?

https://submit.symantec.com/websubmit/gold.cgi