Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Trojan.Swifi

  • 1.  Trojan.Swifi

    Posted Jul 20, 2016 02:22 AM

    What to do the Virus found in Current Virus ?? The Action shown is as Not applicable. This is shown as part of DEFWATCH, so how can I remove the virus?

     

    Trojan.Swifi 07/19/2016 22:30:32 07/06/2016 18:21:17 C:\PROGRAMDATA\SYMANTEC\DEFWATCH.DWH\DWHDDDB.swf

     

    SHA-256
    A6132AE2FE4C75088E873F2C8E4B3626E4FC93B6FD9CBF4CB2CABC6C2BB34515 SYSTEM 07/19/2016 r2

    Scan Type:DefWatch

    Action:Not applicable



  • 2.  RE: Trojan.Swifi

    Posted Jul 20, 2016 08:18 AM

    This is a known issue / false postitive with SEP. Please read through this article:

    DWH*.tmp files are created and detected when quarantine is scanned with new virus definitions



  • 3.  RE: Trojan.Swifi

    Broadcom Employee
    Posted Jul 21, 2016 03:23 PM

    Hello,

    What's the SEP version? It was a known issue with previous versions of SEP.

    If SEP is not on the latest version upgrade SEPM & SEP clients to the latest version. SEP 12.1 RU6 MP5 is the latest version.

    In case issue is occuring with the latest version involve support team immediately. 

     



  • 4.  RE: Trojan.Swifi

    Posted Jul 24, 2016 03:07 AM
      |   view attached

    We have upgraded to the latest version  on Symantec Endpoint Manager 12.1.RU6 MP5 last week . The Clients are yet to be upgraded. the version on clients are 12.1.6 MR4

    I got updates today also..

     

    What to do for partially repaired Risks and Left alone risks?

     

     



  • 5.  RE: Trojan.Swifi

    Posted Jul 24, 2016 08:47 AM

    They need to be manually cleaned. But again your issue a false postive. The article I linked walks through cleaning this up.



  • 6.  RE: Trojan.Swifi

    Posted Aug 22, 2016 07:22 AM

    Hello Brian,

     

    the DWH.*tmp error have been triggering on daily basis now for just a particular Endpoint . I have gone through the particle which says about manual delete, but there are many steps, should we follow all that?

     

    or is it 1. Disable the SMC service

               2. Find the quarantine folder and delete the contents?

     

    Also, I  cannot find the

    Symantec Endpoint Protection 12.1.5+
    DEL /F /Q C:\ProgramData\Symantec\Defwatch.DWH 

    instead I see,

    C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.7004.6500.105\Data\Quarantine

     

    The Folder view has been changed to " view Hidden files"

     

    Please tell how can I delete these files? Or should we delete the Folder itself? and then recreate it?

    Please clarify



  • 7.  RE: Trojan.Swifi

    Posted Aug 22, 2016 07:35 AM

    The steps for manual deletion in the article are what need to be followed?



  • 8.  RE: Trojan.Swifi

    Posted Aug 23, 2016 02:43 AM

    Hello Chetan,

     

    How to involve the support team regarding this DWH* issue. today we have recieved another 5 instances to the same location.

    Can you clarify the steps involved? we are using 12.1.RU6 MP5



  • 9.  RE: Trojan.Swifi

    Posted Aug 23, 2016 03:04 AM

    call support and tell the you are facing DWH issue, they will have a case created for you



  • 10.  RE: Trojan.Swifi

    Posted Aug 23, 2016 07:57 AM

    Are the steps in the article I linked not working??



  • 11.  RE: Trojan.Swifi

    Posted Aug 24, 2016 05:19 AM

    Brian the issue the PC is a remote location. From the steps you provided, it not clear which all steps need to be done to, just clear the quarantine ONLY. I need to provide the exact steps to the HELPDESK to carry out.

    Thats why I asked about the above specify steps

    1. Disable the SMC service

     2. Find the quarantine folder and delete the contents?

     

    Can you be patient to tell me exact steps.



  • 12.  RE: Trojan.Swifi

    Posted Aug 24, 2016 07:49 AM

    The guide is specific to the OS that you're using as well. Stop the smc service first (smc -stop)

    Delete user temp

    Windows Vista/7/2008/8/2012/10:
    DEL /F /Q "C:\Users\NAMEOFUSER\AppData\Local\Temp"

    Deleting the contents of the temp folder at the root of C:\
    Type the following command in Command Prompt:

    DEL /F /Q C:\temp 


    Deleting the contents of the Windows Temp folder
    Type the following command in Command Prompt:

    DEL /F /Q C:\WINDOWS\Temp 

    Are you on 12.1.5 or higher or a lwer version?

    Symantec Endpoint Protection 12.1.5+
    DEL /F /Q C:\Documents and Settings\All Users\Application Data\Symantec\Defwatch.DWH 

    Windows Vista/7/2008/8/2012/10:

    Symantec Endpoint Protection 12.1.5+
    DEL /F /Q C:\ProgramData\Symantec\Defwatch.DWH 

    Deleting the contents of the xfer and/or xfer_temp folders
    Type the following command in Command Prompt. Replace silo with the appropriate build number:

    Symantec Endpoint Protection 12.1
    DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\xfer_tmp\"
    DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\xfer\"

    Delete the Quarantine Folder
    Type the following commands in the Command Prompt. Replace silo with the appropriate build number:

    Symantec Endpoint Protection 12.1
    DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"
    RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"

    Symantec Endpoint Protection 12.1
    MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"

    Start the smc service (smc -start)