Hi,
According to the fix notes of latest SEP version i.e. SEP 12.1 RU2, issue is resolved with this release.
Repeated detection of DWHxxxx.tmp as a threat
Fix ID: 2718341
Symptom: Repeated detection of DWHxxxx.tmp as a threat when a Defwatch scan runs on Quarantined items.
Solution: Increased Defwatch scan performance and moved the temporary extraction folder from %TEMP% to Application Data to avoid conflicts with Windows Search Indexer.
Reference: New fixes and enhancements in Symantec Endpoint Protection 12.1 Release Update 2
If issue reoccuring with SEP 12.1 RU2 version then need log a case with the Support.
But before that I would suggest to test it with SEP 12.1 RU3 Beta/RTM version.
Please check this article
DWH***.tmp files are detected in the user profile temp directory
http://www.symantec.com/docs/TECH92399
These detections do not indicate a new outbreak of a threat. The .tmp files are created by the Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV) Quarantine scan. The scan is normally initiated by a virus definition update.
There are also several known methods to work around the issue:
- The quarantine scan on virus definition update can be disabled in the Symantec Endpoint Protection Manager (SEPM): edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
- Items in quarantine can be deleted.
- If the indexing service is enabled it could be triggering the issue when the dwh***.tmp files are indexed.
- Investigate other applications that are scanning the temp file for changes.