Endpoint Protection

1.  Virus on Risk Log not found during system scan

0 Recommend

Migration User

Posted May 28, 2011 12:42 PM

Reply Reply Privately Options Dropdown

Hello,

     Im running a hp laptop, model HP G62 Notebook PC, 64-bit Operating System, with Windows 7 Home Premium Service Pack 1.   I have the Symantec Endpoint Protection version 11.0.6100.645.  I found "Trojan.Gen.2" on my risk log.  I've also down loaded and ran the Norton Power Eraser.  The results of the norton power eraser were "no threats found" This is what I get on my risk log.

 

Filename

Risk

Action

Risk Type

Original Location

Computer

User

Status

Current Location

Primary Action

Secondary Action

Logged By

Action Description

Date and Time

DWHC200.tmp

Trojan.Gen.2

Log only

File

C:\Users\Dean\AppData\Local\Temp\

DRUNKEN_MNKY

SYSTEM

Log only

C:\Users\Dean\AppData\Local\Temp\

Clean security risk

Quarantine

Auto-Protect scan

The file was left unchanged.

5/19/2011 0:19

Cookie:dean@statcounter.com/

Tracking Cookies

Deleted

Trackware

Cookie:dean@statcounter.com/

DRUNKEN_MNKY

Dean

Deleted

Deleted

Quarantine

Leave alone (log only)

Manual scan

The file was deleted successfully.

5/24/2011 19:37

Cookie:dean@atdmt.com/

Tracking Cookies

Deleted

Trackware

Cookie:dean@atdmt.com/

DRUNKEN_MNKY

Dean

Deleted

Deleted

Quarantine

Leave alone (log only)

Manual scan

The file was deleted successfully.

5/28/2011 17:24

In my system scan Trojan.Gen.2 is not detected...a search for the file reveals that the file can not be found. 

My status states system is protected no problems detected. 

When i click on the trojan.gen.2 it says;

browser cache: internet browser temporary file deleted

infected file: C:\Users\UserName\AppData\Local\Temp\DWHC200.tmp

action taken: Leave alone (log only)

remediation: unsuccessful.

 

Can anybody help me with this?

 

 

 

 

  

 

 

2.  RE: Virus on Risk Log not found during system scan

0 Recommend

Migration User

Posted May 28, 2011 01:01 PM

Reply Reply Privately Options Dropdown

There are several methods to work around the issue :

 

• The quarantine scan on virus definition update can be disabled: edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
• Items in quarantine can be deleted.
• If the indexing service is enabled it could be triggering the issue when the dwh***.tmp files are indexed.
•  Other software that are scanning the temp file for changes such as third party

3.  RE: Virus on Risk Log not found during system scan

0 Recommend

Migration User

Posted May 28, 2011 04:08 PM

Reply Reply Privately Options Dropdown

Thank you for the reply VKalani.  That particular file is not in my quarintine.  But, I do have 7 other files in my quarintine. If I delete files in the quarintine are they only deleted from quarintine or are they deleted from the computer completely?

4.  RE: Virus on Risk Log not found during system scan

0 Recommend

Migration User

Posted May 28, 2011 04:26 PM

Reply Reply Privately Options Dropdown

The files in quarantine are not present anywhere else on a computer...so if you delete from quarantine, the files are no longer  present anywhere  on your  system

5.  RE: Virus on Risk Log not found during system scan

0 Recommend

Migration User

Posted May 29, 2011 09:32 AM

Reply Reply Privately Options Dropdown

Hi,

as you can read in the details, the detected file is just a .tmp, i.e. a harmless piece of malware (it cannot be executed as it is).

It is in the temp foldery, maybe the file was locked hence it was not possible to directly delete it but the Internet was flushed and the file should not be there anymore.

Anyway, if you want to know more, search for trojan.gen.2 in our website and you will get the write-up.

Regards,

6.  RE: Virus on Risk Log not found during system scan

0 Recommend

Trusted Advisor

Mithun Sanghavi

Posted May 30, 2011 10:16 AM

Reply Reply Privately Options Dropdown

Hello,

 

Upgrade to the latest SEP release, RU6 MP3.

 

This is fixed per the release notes for RU6 MP2:

DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan

Fix ID: 1925607

Symptom: DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan.

Solution: After extracting a quarantined item to a temp file, the file is deleted immediately after it is processed.

 

Release notes for Endpoint Protection and Network Access Control 11

 

http://www.symantec.com/business/support/index?page=content&id=TECH103087

 

OR 

 

 

Follow these Steps as below for Manual Deletion of the Files.

 

Stop the Symantec service

• Symantec Endpoint Protection

  • Click Start, then Run
  • Type: smc -stop
  • Click OK

Deleting the files

NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

 

Open the Command Prompt

Deleting files from User Temp folder

• Click Start, then Run
• Type: cmd
• Click OK

1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:

 

2. Deleting the contents of the temp folder at the root of C:\

• Type the following command in Command Prompt:

  DEL /F /Q C:\temp

3. Deleting the contents of the Windows Temp folder

• Type the following command in Command Prompt:

  DEL /F /Q C:\WINDOWS\Temp

4. Deleting the contents of the xfer and/or xfer_temp directories

• Type the following command in Command Prompt:
  • • Windows 2000/XP/2003
      DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

      DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

    • Windows Vista/7/2008
      DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

      DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

The Quarantine Folder

NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

Delete the Quarantine Folder

Type the following commands in the Command Prompt:

• Windows 2000/XP/2003
  DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

  RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

• Windows Vista/7/2008
  DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

  RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

Recreate the Quarantine Folder

Type the following command in Command Prompt:

• Windows 2000/XP/2003
  MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
• Windows Vista/7/2008
  MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

Start the Symantec service

• Click Start, then Run
• Type: smc -start
• Click OK

If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:

Disable re-scanning of quarantine files.

From the SEP-Manager:
- Edit the Antivirus and Antispyware policy of affected clients.
- In the policy editor click "Quarantine" on the left-hand menu.
- On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"