Endpoint Protection

Hi - Found a lot of virus file in our network. So any solution

Virus - Trojan.Gen.2
 

Below are some forum which can help you

https://www-secure.symantec.com/connect/forums/trojangen2-0

https://www-secure.symantec.com/connect/forums/trojangen2

https://www-secure.symantec.com/connect/forums/unable-fully-remove-trojangen2-sep

Commented by Technical Engineer in one forum hope that help you.

https://www-secure.symantec.com/connect/forums/unable-fully-remove-trojangen2-sep

This is a known issue with the older versions of Symantec Endpoint Protection version 11.x

Incase, if you are carrying an older version of SEP, it would be adviced to install the Latest version of SEP 11.0.7101 OR Migrate to the SEP 12.1.1000

Check this:

DWH***.tmp files are detected in the user profile temp directory

http://www.symantec.com/docs/TECH92399

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

AND 

Create a policy as suggested below:

1. Open Symantec Endpoint Protection Manager (SEPM)
2. Select Policies
3. Select Antivirus and Antispyware Policy
4. Select Quarantine
5. Click on the Cleanup Tab
6. Under Quarantined Files check mark "Delete oldest file to limit folder Size at ( X ) MB (Instead of X mentioned the Size of Quarantine Folder normally selected.)

• If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:

Disable re-scanning of quarantine files.

From the SEP-Manager:
- Edit the Antivirus and Antispyware policy of affected clients.
- In the policy editor click "Quarantine" on the left-hand menu.
- On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

Also, to remove the DWxxxxxx.tmp, follow the steps as provided in the Article below:

https://www-secure.symantec.com/connect/articles/issue-related-low-disk-space

Hope that helps!!

Best Practices for Troubleshooting Viruses on a Network

http://www.symantec.com/business/support/index?page=content&id=TECH122466

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

http://www.symantec.com/business/support/index?page=content&id=TECH166816

How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files

http://www.symantec.com/business/support/index?page=content&id=TECH141402

What was the action taken on them? Were they cleaned/deleted?

Hello

Where these files found?
Are quarantined?
Generally these files are derived from software
What is your security solution currently used?

hugs

Hi,

What sep version are you using ?

Is your system infected? Symantec tools to help clear an infection

https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

Hi ikr_mak,

What Symantec product are you using to defend your network, and what componets?  (AV and IPS and Firewall I hope- using traditional AV alone is fighting with one arm tied behind your back.)

Here are some recommendations which may help:

Symantec Endpoint Protection – Best Practices:
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Please do keep this forum thread up-to-date with your progress!

Hello,

Could you please provide more insight on the files found as "Trojan.Gen.2 "?

Please provide us information like Name of the file, path of the file, Action Taken and probably upload us the risk log (if possible)

What Version of SEP 11.x are you running?

I agree with the Suggestion provided by Sumit and Mick.

Hope that helps!!

I have deleted the file but still found new virus file on systems.

Sep Version is 11.0.7

A lot of virus file found in different system, file has been quarantine but required permanent fix

Ensure that every system in your network is defended by a functioning, up-to-date SEP client.  If you have even one undefended computer and it is infected, it can continuously attempt to infect all of the machines on the network. The SEPM has reports that show which clients are up-to-date, which have AV that is working, etc.

Use risk tracer to identify where the infections are coming from:

What is Risk Tracer?
Article:TECH102539   |  Created: 2007-01-27   |  Updated: 2011-04-26   | 
Article URL http://www.symantec.com/docs/TECH102539 
 

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection
Article:TECH94526   |  Created: 2009-01-11   |  Updated: 2010-01-20   | 
Article URL http://www.symantec.com/docs/TECH94526 
 

Also, ensure that autorun is disabled, network shares are password protected, and that a strong password policy is enforced throughout the organization.   

Hope this helps!

Hello,

Have check the Security Featured Thread

Generic Trojan - DWH*.tmp in Temp folder

https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

If such detections continue after deleting old .tmp files and updating to SEP 11 RU6a, see the following:

Stop the Symantec service

• Symantec Endpoint Protection

  • Click Start, then Run
  • Type: smc -stop
  • Click OK

Hello

Trojan file found in user profiles which ahs been scanned and qurantine but in a big quantity

File name- *.tmp

Action Taken -  Scanned and cleared

Path - C:\users profile

One sanpshot attached for the refference

Sep Ver- 11.0.7

Hello

I will try your attach step and will confirm.

If you are using 11.07(RU7 MP1)

then read the below comment
The issue of multiple DWH files being created and retained has been improved in SEP 11 Release Update 7 Maintenance Patch 2 (RU7 MP2) and SEP 12.1 RU1 MP1. Please see Migrating to Symantec Endpoint Protection 11.0.7200 (RU7 MP2) or Upgrading or migrating to Symantec Endpoint Protection 12.1.1101 (RU1 MP1)  for details on how to apply this update

As per the attach suggestion we are going to upgrade the version with Endpoint Protection 11.0.7200 (RU7 MP2)