Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

virus solution

Created: 27 Sep 2012 • Updated: 05 Oct 2012 | 15 comments
This issue has been solved. See solution.

Hi - Found a lot of virus file in our network. So any solution

Virus - Trojan.Gen.2
 

Comments 15 CommentsJump to latest comment

Sumit G's picture

Below are some forum which can help you

https://www-secure.symantec.com/connect/forums/trojangen2-0

https://www-secure.symantec.com/connect/forums/trojangen2

https://www-secure.symantec.com/connect/forums/unable-fully-remove-trojangen2-sep

 

Commented by Technical Engineer in one forum hope that help you.

https://www-secure.symantec.com/connect/forums/unable-fully-remove-trojangen2-sep

This is a known issue with the older versions of Symantec Endpoint Protection version 11.x

Incase, if you are carrying an older version of SEP, it would be adviced to install the Latest version of SEP 11.0.7101 OR Migrate to the SEP 12.1.1000

Check this:

DWH***.tmp files are detected in the user profile temp directory

http://www.symantec.com/docs/TECH92399

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

 

AND 

Create a policy as suggested below:

  1. Open Symantec Endpoint Protection Manager (SEPM)
  2. Select Policies
  3. Select Antivirus and Antispyware Policy
  4. Select Quarantine
  5. Click on the Cleanup Tab
  6. Under Quarantined Files check mark "Delete oldest file to limit folder Size at ( X ) MB (Instead of X mentioned the Size of Quarantine Folder normally selected.)
  • If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:

Disable re-scanning of quarantine files.

From the SEP-Manager:
- Edit the Antivirus and Antispyware policy of affected clients.
- In the policy editor click "Quarantine" on the left-hand menu.
- On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

 

Also, to remove the DWxxxxxx.tmp, follow the steps as provided in the Article below:

https://www-secure.symantec.com/connect/articles/issue-related-low-disk-space

Hope that helps!!

Regards

Sumit G.

.Brian's picture

What was the action taken on them? Were they cleaned/deleted?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ikr_mak's picture

I have deleted the file but still found new virus file on systems.

Fabiano.Pessoa's picture

Hello

Where these files found?
Are quarantined?
Generally these files are derived from software
What is your security solution currently used?

hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

Ashish-Sharma's picture

Hi,

What sep version are you using ?

Is your system infected? Symantec tools to help clear an infection

https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

 

Thanks In Advance

Ashish Sharma

 

 

ikr_mak's picture

Sep Version is 11.0.7

A lot of virus file found in different system, file has been quarantine but required permanent fix

Mick2009's picture

Ensure that every system in your network is defended by a functioning, up-to-date SEP client.  If you have even one undefended computer and it is infected, it can continuously attempt to infect all of the machines on the network. The SEPM has reports that show which clients are up-to-date, which have AV that is working, etc.

Use risk tracer to identify where the infections are coming from:

What is Risk Tracer?
Article:TECH102539   |  Created: 2007-01-27   |  Updated: 2011-04-26   | 
Article URL http://www.symantec.com/docs/TECH102539 
 

How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection
Article:TECH94526   |  Created: 2009-01-11   |  Updated: 2010-01-20   | 
Article URL http://www.symantec.com/docs/TECH94526 
 

Also, ensure that autorun is disabled, network shares are password protected, and that a strong password policy is enforced throughout the organization.   

Hope this helps!

With thanks and best regards,

Mick

Mick2009's picture

Hi ikr_mak,

What Symantec product are you using to defend your network, and what componets?  (AV and IPS and Firewall I hope- using traditional AV alone is fighting with one arm tied behind your back.)

Here are some recommendations which may help:

Symantec Endpoint Protection – Best Practices:
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Please do keep this forum thread up-to-date with your progress!

 

With thanks and best regards,

Mick

Mithun Sanghavi's picture

Hello,

Could you please provide more insight on the files found as "Trojan.Gen.2 "?

Please provide us information like Name of the file, path of the file, Action Taken and probably upload us the risk log (if possible)

What Version of SEP 11.x are you running?

I agree with the Suggestion provided by Sumit and Mick.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ikr_mak's picture

Hello

Trojan file found in user profiles which ahs been scanned and qurantine but in a big quantity

File name- *.tmp

Action Taken -  Scanned and cleared

Path - C:\users profile

One sanpshot attached for the refference

 

 

Sep Ver- 11.0.7

rs_cert's picture

 

If you are using 11.07(RU7 MP1)

then read the below comment
The issue of multiple DWH files being created and retained has been improved in SEP 11 Release Update 7 Maintenance Patch 2 (RU7 MP2) and SEP 12.1 RU1 MP1. Please see Migrating to Symantec Endpoint Protection 11.0.7200 (RU7 MP2) or Upgrading or migrating to Symantec Endpoint Protection 12.1.1101 (RU1 MP1)  for details on how to apply this update

SOLUTION
ikr_mak's picture

As per the attach suggestion we are going to upgrade the version with Endpoint Protection 11.0.7200 (RU7 MP2)

Nagesh Singh's picture

Hello,

Have check the Security Featured Thread

Generic Trojan - DWH*.tmp in Temp folder

https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

 

If such detections continue after deleting old .tmp files and updating to SEP 11 RU6a, see the following:

Stop the Symantec service

  • Symantec Endpoint Protection

    • Click Start, then Run
    • Type: smc -stop
    • Click OK

 

 

Deleting the files

NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

 

Open the Command Prompt

Deleting files from User Temp folder

    • Click Start, then Run
    • Type: cmd
    • Click OK

     

    1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:
      • Windows 2000/XP/2003
        DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"
      • Windows Vista/7/2008
        DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"
    2. Deleting the contents of the temp folder at the root of C:\
      • Type the following command in Command Prompt:

        DEL /F /Q C:\temp

    3. Deleting the contents of the Windows Temp folder
      • Type the following command in Command Prompt:

        DEL /F /Q C:\WINDOWS\Temp

    4. Deleting the contents of the xfer and/or xfer_temp directories
      • Type the following command in Command Prompt:
          • Windows 2000/XP/2003
            DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

            DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

          • Windows Vista/7/2008
            DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

            DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

 

The Quarantine Folder

NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

 

Delete the Quarantine Folder

Type the following commands in the Command Prompt:

  • Windows 2000/XP/2003
    DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

    RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

  • Windows Vista/7/2008
    DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

    RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

Recreate the Quarantine Folder

Type the following command in Command Prompt:

    • Windows 2000/XP/2003
      MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
    • Windows Vista/7/2008
      MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

Start the Symantec service

  • Click Start, then Run
  • Type: smc -start
  • Click OK

 

 

 

 

  • If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:

 

 

 

 

  • Disable re-scanning of quarantine files.

From the SEP-Manager:
- Edit the Antivirus and Antispyware policy of affected clients.
- In the policy editor click "Quarantine" on the left-hand menu.
- On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

 

http://www.symantec.com/business/support/index?pag...

http://www.symantec.com/business/theme.jsp?themeid...

 

 

 

 

Thanks & Regards,

Nagesh Singh

 

ikr_mak's picture

Hello

I will try your attach step and will confirm.