Endpoint Protection

I keep getting a Trojan.Gen.2 Risk on my machine and can't seem to remove it.  It only comes up during Auto-Protect and not during a full system.

Post a screenshot if you can. What is the name of the file and location?

What version of SEP?

If the filename is dwhxxxxx.tmp than you need to see this article on how to handle:

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

whats the file name and where is that file downloaded from or copied from?

I'm running version 11.0.6 SEP.  I'll grab a screenshot next time it comes up as it's pretty random.

That's a pretty old version. Is it unmanaged (home use)?

It may be the dwhxxxx.tmp issue noted in the link in my first post.

Check your Risk log, it should show something in there as to the filename/location.

It's on a corporate PC and it looks like the dwhxxxx.tmp issue you noted in the first post.

I'll have to look into getting the latest version of SEP.

Here's a screenshot while I look into the related article.

I'll report back when I get a chance to review and resolve.

Thanks for all the speedy assistance here!

Yup, that is the issue. It's a known bug/false positive. The article I linked provides a couple different solutions.

Hi,

Please go through with this link.

http://www.symantec.com/security_response/writeup.jsp?docid=2011-082216-3542-99&tabid=3

Read the posts sir, it's the dwhxxxx.tmp issue.

Hello,

You are running an older version of SEP 11.0.6 which was released in July 2011. Any particular reason for using an unmanaged older version of SEP?

I would suggest you to uninstall this older version and install the Latest version of either SEP 11.0.7300 OR SEP 12.1.4.

Here is the cause and reason provided below:

When the virus definitions are updated in the Symantec Endpoint Protection client, there is an option to Rescan the Quarantine. This enables the Symantec Endpoint Protection client to inspect the files stored in the local quarantine and verify if any of them can be repaired with the updated antivirus signatures.

When the files were originally quarantined, they were compressed and encrypted to ensure that the stored version cannot continue to infect the local machine. Consequently, the Symantec Endpoint Protection client must extract the original file(s) from this quarantine packaging before it can be re-scanned.

During this file extraction process, a temporary file named <computercode>DWHxxxx.tmp</computercode> is created in the working directory of the Symantec Endpoint Protection client. This is typically within the <computercode>%App Data%\Symantec\</computercode> folder, but in certain older builds of Symantec Endpoint Protection, it may also use the Windows <computercode>%TEMP%</computercode> folder. 

Normally, this temporary file will not be scanned by the Symantec Endpoint Protection Auto-Protect function because Symantec Endpoint Protection is already handling the file, i.e. Symantec Endpoint Protection knows that it owns the file. However, if a third-party process accesses that file while it is being created, the Symantec Endpoint Protection Auto-Protect function will intercept this file access and will declare the file as untrusted because another process, possibly malicious, had accessed the file.

This will cause the file to be seen as a new file and untrusted. Accordingly, the file will be scanned. This results in an already quarantined and infected file getting rescanned.  Additionally, it will be treated as a suspect file and quarantined, resulting in a duplicate file being added to the local quarantine.

Finally, as each definition set is received by the Symantec Endpoint Protection client and the local quarantine is rescanned, the above process repeats, and the contents of the local quarantine are doubled.

Hope that helps!!

@JohnnyDangerous

Have you gotten this resolved?

@_Brian

I have not been able to make this work yet as I cannot seem to locate the "Virus and Spywayre policy>Windows Settings>Quarantine>Advanced" settings.  About the only thing I've been able to do is delete all the files in the temp directories only to have the detection dialog to pop up a few days later.

When I right click on the SEP icon in the systray and select "Open Symantec Endpoint Protection", it brings up the status and settings window.  Digging around all the settings, I still cannot locate the Quarantine settings as described in the KB Article.

Another question I have, can I upgrade to v12 of SEP without a key from v11?

You can't upgrade unless you have the serial key to download from FileConnect.

Perhaps you can go back to your admin to get the latest version?

@JohnnyDangerous,

Have you had any success with this?

@_Brian,

I have not been successful with resolving the issue.  However, out IT went ahead and replaced the HD for other reasons.

Hey @JohnnyDangerous

Have you checked the registry for the local machine or user to see if it keeps trying to run a program.  I had one of these a few weeks ago where notifications would keep getting detected because there was an *.exe that was referenced in either:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run  or RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce

HKEY_USERS\S_1_5.....\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce

Just food for thought if you see it again, if you haven't looked there already.

Hi, I might got a real trojan.gen.2 - SEP (11.0.7101.1056) warns winmgr.exe is infected. - Located in programdata / windows manager - related to a registry entry hkey_users\s-1-5-21-1538607324-......-352724 - this registry entry can not be changed - there's a startup entry called microsoft.com referring to the same registry name, and can not be disabled (re-enables itself) Sounds paranoic, doesn't. SEP is centrally managed and refreshed.