DWH***.tmp files are detected in the user profile temp directory.


Article ID: 177528


Updated On:


Endpoint Protection


Infected DWH***.tmp files are detected in the user profile temp directory by AutoProtect.



These detections do not indicate a new outbreak of a threat.  The .tmp files are created by the Symantec Endpoint Protection (SEP) or Symantec AntiVirus (SAV) Quarantine scan. The scan is normally initiated by a virus definition update.  


Upgrading to the latest available release of SEP will greatly reduce the number of "detections" of already quarantined threats.  Improvements to the processing were included in Release Update 7 Maintenance Patch 2 (RU7 MP2).

Files re-detected during Defwatch scan
Fix ID: 2067778
Symptom: DWHxxxx.tmp files are being re-detected when Defwatch scan is running.
Solution: Fixed some scan issues, making the scan faster. Also created a separate folder to rescan Quarantine items that can be used to create exceptions.


There are also several known methods to work around the issue:

  • The quarantine scan on virus definition update can be disabled in the  Symantec Endpoint Protection Manager (SEPM): edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
  • Items in quarantine can be deleted.
  • If the indexing service is enabled it could be triggering the issue when the dwh***.tmp files are indexed.
  • Investigate other applications that are scanning the temp file for changes.