Endpoint Protection

http://www.symantec.com/security_response/writeup.jsp?docid=2011-082216-3542-99&tabid=3

Removal Tool
 

• Run the Symantec Power Eraser with the Symantec Endpoint Protection Support Tool
• Symantec Power Eraser Overview
• Symantec Power Eraser User Guide

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD.


How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network



MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product


2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Have you seen these file with the name of dwh*.tmp

If the file is with this name then read the below link

This issue  is fixed in RU7MP2 ..

http://www.symantec.com/business/support/index?page=content&id=TECH92399&locale=en_US

This build's version is: 11.0.7200.1147.

Release notes for Endpoint Protection and Network Access Control 11

Hi,

DWH***.tmp files are detected in the user profile temp directory

http://www.symantec.com/docs/TECH92399

These detections do not indicate a new outbreak of a threat.  The .tmp files are created by the Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV) Quarantine scan. The scan is normally initiated by a virus definition update.

There are also several known methods to work around the issue:

• The quarantine scan on virus definition update can be disabled in the  Symantec Endpoint Protection Manager (SEPM): edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
• Items in quarantine can be deleted.
• If the indexing service is enabled it could be triggering the issue when the dwh***.tmp files are indexed.

• Investigate other applications that are scanning the temp file for changes.

Best practice to troubleshoot virus on the network

http://www.symantec.com/docs/TECH122466

IF not helped,

Use Symantec endpoint Protection Support Tool with Power Eraser (eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect) following the article:
Support Tool with Power Eraser Tool included

http://www.symantec.com/business/support/index?pag...

Check the loadpoints on your machine:
How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files
http://www.symantec.com/business/support/index?pag...

If you manage to identify infected files and thay are not detected by SEP, please submit the files using this link:
http://www.symantec.com/business/security_response...

Hello Ashoka,

You have provided very limited details.

Could you please provide us the file name and path of the file located on? If possible please provide us a screenshot.

Trojan.Gen is a generic detection for many individual but varied Trojans for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.

Understanding the file location and file name may give us some idea to assist you with the Threat.

Secondly, is the name of the file starting from DWH***?

If yes, you may check the links provided by Chetan above.

I doubt this is the known issues. The issue of multiple DWH files being created and retained has been improved in SEP 11 Release Update 7 Maintenance Patch 2 (RU7 MP2) and SEP 12.1 RU1 MP1.

Check these Articles below:

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

DWH***.tmp files are detected in the user profile temp directory.

http://www.symantec.com/docs/TECH92399

I am agree with aobve comments if your systems are infected with dwh.tmp related virus then updgrade the Sepm version with (SEP 11 Release Update 7 Maintenance Patch 2 (RU7 MP2)). It will fixup .tmp file issue.

What was the action taken? If cleaned, deleted, or quarantined than SEP did its job and no further action is needed.

Hi- What is the current status of virus?

Removed or still pending?

Virus has removed after scanning in safe mode but it was the daily acitivty so i have raise the concern.

I will update to senior team that upgrade the SEPM with RU7MP2 for the permanent fixup the issue

thanks all for your valuable comments