Endpoint Protection

Greetings every one,

I have a Laptop with Windows 7, Ultimate, 64-Bit. I have Symantec Endpoint Protection version 11..0.6200.754 installed as a Self managed mode.  The LiveUpdate software works perfectly fine on this computer. When I run a full scan, apart from tracking cookies nothing is detected.

I had an old version of Symantec Endpoint Protection 11.0.6005 installed on my laptop. Then Symantec started detecting Trogen.gen infection on my computer, I asked help on this forum. I was suggested to Upgrade to the latest version. I did upgrade to the latest version. For almost two months my
Laptop worked perfectly fine. For last two days my system has started showing the same infection.

I am confused if this was the product defect then it should have been fixed with the new version. If this was NOT a product defect was it really necessary to Upgrade to the new version? Is there a chance the Virus was hiding somewhere in registry or in some dll files? Is there a vulnerability which is being used by this Virus ? As suggested by Symantec on the following link I followed all steps, but still Symantec is detecting the infection on my computer. So I am not sure what to believe and what to do.

 http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-022501-5526-99&tabid=3

On one page Symantec is suggesting to follow some steps to remove the infection, on the other hand its suggesting to upgrade to the latest version, but even after upgrading to the infection is still showing up.  Also I have set all Scan first Action to Quarantine , second action to delete risk. So why Symantec is not deleting the risk?

It does look like False Positive..Do you have any other Antivirus,Antispyware or any security freeware program installed on this machine as that might be the problem.

However also empty your Temp folders 

%temp%

C:\Windpws\Temp

and Delete Temporary Internet Files

This is an issue where SEP has detected files already in quarantine.

See the following document for guidance:

http://www.symantec.com/business/support/index?page=content&id=TECH92399

In Summary:

Be on version RU6 MP1 or higher.

Delete the files in quarantine.

Delete any DWH files.

Kind Regards

Hi Vikram,

Could you please elaborate the "False Positive" term, I am not tech savvy person.

Symantec is the only Security program I have on this system. Symantec was the FIRST software I installed on my Laptop after I installed OS. As you suggested I went to %temp% folder, it had more than 400+ files. I deleted all of them. But still 1 folder and 2 more files were not deleted successfully. I kept on getting message "can not delete the files, files may be in use".  as Long as was browsing the folder I saw a tmp file kept on generating and Symantec kept on deleting it. As soon I closed the folder, Symantec stopped reporting the file.

Do you suspect the files as Infected? I have no other program opened on my Laptop, so I am not sure what program is using these files. Even after reboot the I was not able to delete these 3 files.
 

Any other step you suggest me to perform ? One more input, ever since my laptop started reporting the Trogen.gen infection, My laptop performance has dropped noticeably. Is that related?

Thanks in advance.

The link you suggested in here refers to version 11.0.6100, where as I have 11.0.6200. Are you suggesting to Install 11.0.6100? Also the options given in document are for a managed client. Mine is a self managed.  I searched my computer; there are no DWH files on my system. I also searched for  Quarantine folder. I didn’t find any.

As I suggested earlier, I have set Scan actions to delete any infection. Symantec is not doing that. Any suggestion? Last year I had similar issue with my XP laptop, back then I was given a special tool to remove the infection, do you have any special tool designed to fix this issue?

Hi Nisha,

Judging from your screenshot, this is a known (if rare) issue: it is not an active infection.  Empty the quarantine of all files (delete them) and this should no longer occur.

Thanks and best regards,

Mick

I agree with Mick2009.

This has been going on for a long time.  Most of the time, the first thing most people in these forums will tell you is to update to the latest version.  It's just good practice and generally fixes known issues and bugs.

If you search in these forums for DWH*.tmp you will find that this particular behavior has been occurring for a long time through the different version of SEPM 11.0.x

False Positive menas a  legitimate software has been mistakenly classified as a threat. Please refer the following article to have a better clue how to deal with the False Positive.

http://www.symantec.com/docs/TECH98360

Please boot into safe mode, and delete the tmp files fron the Temp folder. Once you boot in safe mode you shoudl be able to delete the files.

As you said earlier, you are already using 11.0.6200 version, you dont need to Downgrade to a lower version. As Vikram have said earlier, this seems t be a false positive so this is not a new infection. Once these infections are removed then it should improve the performance of your Laptop.

_____

Regards.

Andy.

The recent releases of SEP have been getting better and better at dealing with the conditions which cause these DWH file alerts.  It's rare that they happen in SEP 11 RU6 MP2.

I understand that in the next major release fo the product, SEP 12.1, should eliminate them entirely.  This release- which will include many more changes and improvements-  is expected out later on in 2011. 

In the meantime, the advice above about deleting the files in the quarantine is sound.  Please treat the detection of these DWH files as a known issue, rather than an active infection.

Thanks again and best regards,

Mick

Hello Andy,

Thanks for valueble tip. I was able to delete the files by rebooting in safe mode. My laptop as better now.

But I still feel confused, not about the computer issue, but about you.

Your Title says JOBLESSandy, but then next to yoru name it says Symantec Employee.... so the confustion continues....

Thanks a lot for all Help guys. I will be waiting for the new 12 version.

He's a Symantec employee.