Symantec Endpoint Protection (SEP) Auto-Protect detects dwhxxx.lnk files in the folder C:\ProgramData\Symantec\DefWatch.DWH\ as Trojan.gen. These files are linked to files that are already quarantined.

When Defwatch extracts quarantined files in order to repair them, Auto-Protect detects the extracted files and re-adds them to Quarantine, which increases the number of files in the Quarantine folder.

Gave the file handling implementation to ccSvcHst, so that access to the folder is only granted to SYSTEM. This issue is fixed in Symantec Endpoint Protection 14.0.0.2 (MP2)  For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.