Endpoint Protection

I'm finding these files in the c:\programdata\Symantec\defwatch.dwh\ folder, and these are DWH####.exe files (not .tmp like a definition update).  The client is running 12.1..4013.4013, and I'm not seeing these files on other similar versioned systems.  In fact, when I run a scan on the files on the machine itself (with current defintions) it finds nothing, but when I scan the files externally from another system it detects them as the suspicious.B.UMH files.  So what is this?  A virus that is hiding detection from the client?  Or a bogus update of somekine from Symantec that doesn't act like the other systems?  Please advise how to track root cause on this and fix.  Thanks.

This was a known issue in previous versions and still seems to be prevelant today.

http://www.symantec.com/docs/TECH102953

Check the removal steps in this link. Or at least verify these files exist in the given location(s).

For what it is worth, uploading to virus total, they get the following results:

Antivirus	Result	Update
AVware	Installerex/WebPick (fs)	20140801
Ad-Aware	Adware.Generic.570790	20140731
AhnLab-V3	PUP/Win32.TSULoader	20140731
AntiVir	ADWARE/InstallRex.Gen	20140731
Antiy-AVL	Spyware[AdWare:not-a-virus]/Win32.Agent	20140731
Avast	Win32:InstalleRex-X [PUP]	20140801
BitDefender	Adware.Generic.570790	20140801
Bkav	W32.FamVT.AntiFWK.Trojan	20140731
CAT-QuickHeal	Trojan.AntiFW.B5	20140731
Comodo	Application.Win32.InstalleRex.KG	20140731
ESET-NOD32	Win32/InstalleRex.J	20140801
Emsisoft	Adware.Generic.570790 (B)	20140801
F-Secure	Adware.Generic.570790	20140801
Fortinet	Riskware/InstalleRex	20140801
GData	Adware.Generic.570790	20140801
Ikarus	PUA.InstallRex	20140801
K7AntiVirus	Unwanted-Program ( 00491c4c1 )	20140731
K7GW	Unwanted-Program ( 00491c4c1 )	20140731
Kaspersky	not-a-virus:AdWare.Win32.Agent.aeph	20140801
Kingsoft	Win32.Troj.Generic.a.(kcloud)	20140801
Malwarebytes	PUP.Optional.Installex	20140801
McAfee	PUP-FHQ	20140801
McAfee-GW-Edition	PUP-FHQ	20140801
MicroWorld-eScan	Adware.Generic.570790	20140801
NANO-Antivirus	Riskware.Win32.Agent.crfila	20140801
Panda	PUP/TSUploader	20140731
Qihoo-360	Malware.QVM20.Gen	20140801
Rising	PE:Malware.Agent!6.5A	20140731
SUPERAntiSpyware	Adware.InstalleRex/Variant	20140801
Sophos	InstallRex	20140801
Symantec	Suspicious.B.UMH	20140731
VBA32	Downware.TSU	20140731
VIPRE	Installerex/WebPick (fs)	20140801

On the surface, this looks anywhere from annoying adware to nasty.  I've submitted to Symantec detections but all it says is that it is already detected - and it does, but not on the "infected" machine even with updated defs.

If that is the cause, why does the article mention .tmp files in a completely different path?  Is this the new area for unpacking in 12.1.x and it retains a .exe?

I've seen this before as well, it all ties back to the dwh false positive issue. Been around since SEP 11.x days and still here in 12.1.

You can read the explanation as to why it happens here:

https://www-secure.symantec.com/connect/ja/forums/generic-trojan-dwhtmp-temp-folder?page=1#comment-5191651

The entire thread is a good read if you have the time.

Yes.Brian is right as I have seen same problem after I have upgrade from ru2 to ru4 I had the same problem follow the article will not happen again.