Endpoint Protection

There is already a forum discussion with this title but it has been locked and it was not resolved.

We have just upgraded about 50 users to v12.1.1000, some were upgraded from v11.0 (installed over the top), some were installed fresh (v11 removed, rebooted). Both upgrades are flagging the DWH####.tmp virus alerts. Since the last discussion on this issue back in Oct 2011 has anybody found a solution that works?

 

Do you know what version of 11.x you were using?

The issue was "finally" resolved in 11.7 MP2 according to:

http://www.symantec.com/business/support/index?page=content&id=TECH102953

Any versions previous might simply be flagging the files.

You can clear out the "infected" files from your system(s) and it should no longer occur.

You should also consider updating to the latest version of 12.1 RU1 MP1.

 

Cheers!

This is an issue that should have been solved long ago, unfortunately it hasn't.

The two below KBs are in my opinion the best workaround to apply until a next release erase for good this bug.

Btw, upgrade from 11.0 or fresh install of 12.1, the issue might occur in both cases anyway.

http://www.symantec.com/docs/TECH102953

http://www.symantec.com/docs/TECH138856

Hope it helps.

Shulk.

 

Shulk is correct with his articles. For us, disabling the rescanning of the quarantine after new definition updates arrived has restored sanity to our Service Desk. Tech Article 102953 has gotten rid of the DWH*.* problem.

As an addition to Ian_C and Shulk, here is a posting by Ryan Dasso that may be explaining the background.

https://www-secure.symantec.com/connect/ja/forums/generic-trojan-dwhtmp-temp-folder#comment-5191661

Most versions of 11 are 6300 and 7000.   We are installing v12.1.1001.  I did make the change in SEPM to disable the rescanning of the quarantine after new definition updates arrived.   I really hope this works.

 

I have looked at this issue off and on for several years. As the TechNote indicates, the latest changes in 11.0 RU7 MP2 and 12.1 RU1 MP1 "improve" the situation - but they do not provide a final soltuion to this problem.

The basic problem is architectural - how to rescan the threats that are stored in Quarantine when new definitions arrive? The design is to extract the files from the Quarantine achive (VBin format) back to their original state in the TEMP folder and rescan them to see if they can be repaired with the new definitions.

Extracting these files to disk (DWHxxx.TMP files) exposes them to being detected again by any external process (our processes are protected). The most common cause is Windows Indexing - but the user can also cause detections by navigating into the TEMP folder and clicking on these TMP files as they come and go.

Previous updates include speeding up the scan and deleting the TMP files as soon as they are scanned (reducing the time on disk). The new changes including moving the files from Windows TEMP to Program Data\Symantec\DefWatch.DWH. This location can be excluded in SEPM (Common_Appdata) for all clients.

But the basic problem remains - extracing these files to disk risks detection from Windows Indexing, Explorer, or other 3rd party applocations that monitor the hard drive. There are some options to rescan without extracting - but this would require consideable resources to fully resolve.

Thanks Jim for in-depth explanation/analysis.

hmm are you from Symantec?

 

I saw some KB mentioned to turn off Windows Indexing for Temp path... do you think it's good?

I work for Symantec CRT.

I am working on updating the KBs to include the latest changes. With 11.0 RU7 MP2 and 12.1 RU1 MP1, the directory has changed (ProgramData\Syamantec\DefWatch.DWH, or user ApplicationData in older OSs). You will need to remove this new directory from Windows Infexing with these newer releases. Also note that the DefWatch.DWH folder does not exist except while DefWarch rescan is occurring.

Hi, this problem just started yesterday on my computer with version 12.1. I want to try the solution at: http://www.symantec.com/docs/TECH102953 but I can't seem to follow the first step:

 

Disable rescanning of the local quarantine upon receipt of new virus definitions. 

1. Open the Antivirus and Antispyware policy > Windows Settings > Quarantine > General

2. Under "When New Virus Definitions Arrive" choose Do nothing".
   In SEP 12.1 versions, this policy will be called Virus and Spyware Protection and Quarantine will be under Advanced Options.

I can go to configure settings for Virus and Spyware protection (and quarantine is not part of the name?) but my choices are tabs for global settings, autoprotect, insight, email, outlook, notes. Under autoprotect tab, there is an "advanced settings" tab, but i can find no options that say anything about what to do when new virus defs arrive.

Please if someone can tell me what I'm doing wrong? Thank you.

This needs to be done on the SEPM, not the SEP client.

Open a Virus and Spyware Protection policy.

On the left side, there is a setting "Quarantine" (under the blue "Advanced Options" beam).

Double-click "Quarantine" and then switch to "Do Nothing".

 

Several of the Quarantine options in SEPM - what to do when new defs arrive, forwarding to Central Quarantine, etc. have no UI on the client. These have to be set in SEPM.

Sorry, I still don't understand what I should do to fix this problem? This is my home computer using Symantec provided for use by employees of my company. Is this something that only an administrator for the company can fix - or can I make a change on my computer?

Thank you.

Is your SEP managed by Symantec? If so, you may not be able to add Exceptions.

These instructions apply to Vista and above - for older operating systems, the folder is under Documents and Settings\<username>\local settings\application data\Symantec.

One problem is that the folder used to rescan Quarantine files is created and deleted each time - so it does not exist normally - and the Exceptions UI only alllows existing folders to be added. You can add an exception for ProgramData\Symantec\* - but this may be too broad.

1. Navigate into ProgramData\Symantec

2. Create a new folder - DefWatch.DWH

3. Open the SEP main UI -> Change Settings -> Exceptions -> Configure Settings

4. Add -> Security Risk Exception -> Folder

5. Navigate and select the ProgrramData\Symantec\DefWatch.DWH folder, click OK

6. Click Close

7. You can now delete the DefWatch.DWH folder - or it will be automatically deleted after the next Quarantine rescan,

 

Hello Everyone,

According to the fix notes of latest SEP version i.e. SEP 12.1 RU2, issue is resolved with this release.

 

The cited changes make the problem less likely - and allows the TEMP folder to be exlcuded from all clients by SEPM - but it does not completely resolve the problem. DWHxxxx.TMP files can be re-detected during rescan by Windows Indexing, having Explorer open to the TEMP folder and clicking on these TMP files, or by other third-party disk monitoring applications.

Hi all,

I'm using 12.1.2015.2015 but somehow the defwatch DWH issue still exist ?

what should I do now ?

Hi John,

You should log a case with Support.

For testing purpose try with a fresh install if it's not an upgrade.

You can change the option to "Do Nothing" when new definitions arrive.

Yes that's what I'm doing now.

 

And you're still seeing the issue?

You can also exclude the rescan folder from detecttions - using the steps above. You might also look at the number of files in Quarantine. Ideally, Quarantine is a temporary holding area for new threats that can be detected but not repaired - and potential new threats manually added to Quarantine for review by Symantec. If there are large numbers of files in Quarantine, you may want to review you scan policies, Quarantine retention period, etc.

How to cleanup the false positive DWH file in the SEPM weekly report ?

this is so to reduce further confusion,

 

Hi All, I am now dealing with the DWHxxxx.temp issue. I am currently using SEP SMB 12.1.1101.401. I have found Article:TECH102953 but I am unable to locate the Quarantine Settings under the policy “Virus and Spyware Protection”. Any help would be appreciated…

Open the Virus and Spyware policy > Windows Settings > Quarantine > Advanced Options

Pete, what can we do next to prevent this issue happening again ?

you need to contact tech support if you still see this issue.

have you stopped rescan after new definition arrives?

 

 

Pete,

Thank you for your reply. I would love to follow those steps but the “Quarantine” section is not there. I am looking for this in the SEPM, correct?

Dan

 

 

This is in SEPM - Virus and Spyware Protection policy > Advanced Options > Quarantine

 

Please see attached screenshot. Am I missing something or not in the right area?

 

Dan

Looks like you're running SEP Small Business Edition. I don't believe this is available in SBE.

It looks like the SMB version of SEPM does not include Quarantine or Miscellenous options. If you let me know what options you want to set, I can find the corresponding Registry settings on the SEP clients.

 

 

Jim, I am getting numerous DWHxxxx.tmp files (over 65,000 as of last night) on one specific XP- Pro Client, so I was going to try and disable the rescan quarantine after new definitions to see if that helped at all.  Do you have any other suggestions?

 

Thanks,

Dan

You can try manually deleting, check the post by Mithun Sanghavi here for detailed steps on how to do so

https://www-secure.symantec.com/connect/forums/why-it-so-difficult-get-rid-ofwork-qsp-files#comment-5255331

If you are seeing a lot of these, then there could be another problem (like they are not getting deleted). They should only be on disk a second or two (depending on size) - and it takes being touched by some other process (Windows Indexing, manual scan, disk monitor, etc) to cause them to be detected again. It would help if we knew what process is causing the re-detection of these files.

The SEPM option - What to do when new definitions arrive - gets translated into this value in the Registry on the SEP client:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Quarantine\DefWatchMode (exclude the Wow6432Node if 32-bir). The possible values are:

0 - Always rescan

1 - Repair only (and put repaired files back into Quarantine)

2 - Prompt (same as Rescan All in the Quarantine UI)

3 - Do Nothing

In the case of SMB, since SEPM does not offer the option - it may not reset the value every time a new policy is downloaded (but it might).

Another option is to exclude the specific folder used to rescan (Centralized Exceptions). You can do this from SEPM or on the client - but - this folder is deleted after rescan - and it must exist to create the exception on the client - create the folder, create the exception, then delete the folder. The foldername is:

ProgramData\Syamantec\DefWatch.DWH (or under user ApplicationData\Symantec in older OSs)..

 

 

 

Jim,

Thanks for sharing the registry trick here,

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Quarantine\DefWatchMode

I have set that into 3 in my Win 7 64 bit and it is all now working fine.