Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

virus Name - Trojan.Gen

Created: 21 Oct 2012 • Updated: 25 Oct 2012 | 8 comments
This issue has been solved. See solution.

Virus detected in system reportedto server in Risk

Virus Name - Trojan.Gen

Version - 11.0.6005

Regard

Ashok

Comments 8 CommentsJump to latest comment

rs_cert's picture
Trojan.Gen.2 is a generic detection for many individual but varied Trojans for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.

Trojan horse programs pose as legitimate programs or files that users may recognize and want to use. They rely on this trick to lure a user into inadvertently running the Trojan. Often a Trojan will mimic a well known legitimate file name or pose as a particular type of file, like a .jpg or .doc file to trick a user.

Distribution of Trojans on to compromised computers occurs in a variety of ways. From email attachments and links to instant messages, drive-by downloads and being dropped by other malicious software. Once installed on the compromised computer, the Trojan begins to perform the predetermined actions that it was designed for.

http://www.symantec.com/security_response/writeup.jsp?docid=2011-082216-3542-99&tabid=3

Removal Tool
 

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD.

How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network

MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product

2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Sumit G's picture

Have you seen these file with the name of dwh*.tmp

If the file is with this name then read the below link

This issue  is fixed in RU7MP2 ..

http://www.symantec.com/business/support/index?page=content&id=TECH92399&locale=en_US

This build's version is: 11.0.7200.1147.

Release notes for Endpoint Protection and Network Access Control 11

Regards

Sumit G.

SOLUTION
Chetan Savade's picture

Hi,

DWH***.tmp files are detected in the user profile temp directory

http://www.symantec.com/docs/TECH92399

These detections do not indicate a new outbreak of a threat.  The .tmp files are created by the Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV) Quarantine scan. The scan is normally initiated by a virus definition update.

There are also several known methods to work around the issue:

  • The quarantine scan on virus definition update can be disabled in the  Symantec Endpoint Protection Manager (SEPM): edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
  • Items in quarantine can be deleted.
  • If the indexing service is enabled it could be triggering the issue when the dwh***.tmp files are indexed.
  • Investigate other applications that are scanning the temp file for changes.

Best practice to troubleshoot virus on the network

http://www.symantec.com/docs/TECH122466

IF not helped,

Use Symantec endpoint Protection Support Tool with Power Eraser (eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect) following the article:
Support Tool with Power Eraser Tool included

http://www.symantec.com/business/support/index?pag...

Check the loadpoints on your machine:
How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files
http://www.symantec.com/business/support/index?pag...

If you manage to identify infected files and thay are not detected by SEP, please submit the files using this link:
http://www.symantec.com/business/security_response...

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mithun Sanghavi's picture

Hello Ashoka,

You have provided very limited details.

Could you please provide us the file name and path of the file located on? If possible please provide us a screenshot.

Trojan.Gen is a generic detection for many individual but varied Trojans for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.

Understanding the file location and file name may give us some idea to assist you with the Threat.

Secondly, is the name of the file starting from DWH***?

If yes, you may check the links provided by Chetan above.

I doubt this is the known issues. The issue of multiple DWH files being created and retained has been improved in SEP 11 Release Update 7 Maintenance Patch 2 (RU7 MP2) and SEP 12.1 RU1 MP1.

Check these Articles below:

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

DWH***.tmp files are detected in the user profile temp directory.

http://www.symantec.com/docs/TECH92399

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

honey_jack's picture

I am agree with aobve comments if your systems are infected with dwh.tmp related virus then updgrade the Sepm version with (SEP 11 Release Update 7 Maintenance Patch 2 (RU7 MP2)). It will fixup .tmp file issue.

Thanks & Regard

Honey Jack

If your issue has been solved, please use the "Mark as Solution" for the valid thread.

.Brian's picture

What was the action taken? If cleaned, deleted, or quarantined than SEP did its job and no further action is needed.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

rs_cert's picture

Hi- What is the current status of virus?

Removed or still pending?

akgs's picture

Virus has removed after scanning in safe mode but it was the daily acitivty so i have raise the concern.

I will update to senior team that upgrade the SEPM with RU7MP2 for the permanent fixup the issue

thanks all for your valuable comments