Hello,
You are running an older version of SEP 11.0.6 which was released in July 2011. Any particular reason for using an unmanaged older version of SEP?
I would suggest you to uninstall this older version and install the Latest version of either SEP 11.0.7300 OR SEP 12.1.4.
Here is the cause and reason provided below:
When the virus definitions are updated in the Symantec Endpoint Protection client, there is an option to Rescan the Quarantine. This enables the Symantec Endpoint Protection client to inspect the files stored in the local quarantine and verify if any of them can be repaired with the updated antivirus signatures.
When the files were originally quarantined, they were compressed and encrypted to ensure that the stored version cannot continue to infect the local machine. Consequently, the Symantec Endpoint Protection client must extract the original file(s) from this quarantine packaging before it can be re-scanned.
During this file extraction process, a temporary file named <computercode>DWHxxxx.tmp</computercode> is created in the working directory of the Symantec Endpoint Protection client. This is typically within the <computercode>%App Data%\Symantec\</computercode> folder, but in certain older builds of Symantec Endpoint Protection, it may also use the Windows <computercode>%TEMP%</computercode> folder.
Normally, this temporary file will not be scanned by the Symantec Endpoint Protection Auto-Protect function because Symantec Endpoint Protection is already handling the file, i.e. Symantec Endpoint Protection knows that it owns the file. However, if a third-party process accesses that file while it is being created, the Symantec Endpoint Protection Auto-Protect function will intercept this file access and will declare the file as untrusted because another process, possibly malicious, had accessed the file.
This will cause the file to be seen as a new file and untrusted. Accordingly, the file will be scanned. This results in an already quarantined and infected file getting rescanned. Additionally, it will be treated as a suspect file and quarantined, resulting in a duplicate file being added to the local quarantine.
Finally, as each definition set is received by the Symantec Endpoint Protection client and the local quarantine is rescanned, the above process repeats, and the contents of the local quarantine are doubled.
Hope that helps!!