Endpoint Protection detects dwhxxx.lnk as Trojan.Gen

book

Article ID: 169577

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) Auto-Protect detects dwhxxx.lnk files in the folder C:\ProgramData\Symantec\DefWatch.DWH\ as Trojan.gen. These files are linked to files that are already quarantined.


Cause

When Defwatch extracts quarantined files in order to repair them, Auto-Protect detects the extracted files and re-adds them to Quarantine, which increases the number of files in the Quarantine folder.

Environment


Resolution

Gave the file handling implementation to ccSvcHst, so that access to the folder is only granted to SYSTEM. This issue is fixed in Symantec Endpoint Protection 14.0.0.2 (MP2)  For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.