DWH*.tmp files are created and detected when quarantine is scanned with new virus definitions

book

Article ID: 151352

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

DWH*.tmp files are created and flagged as malicious by Auto-Protect in Symantec Endpoint Protection (SEP) and items in quarantine will be double every time new virus definitions arrive.

Cause

When the virus definitions are updated in the Symantec Endpoint Protection client, there is an option to Rescan the Quarantine. This enables the Symantec Endpoint Protection client to inspect the files stored in the local quarantine and verify if any of them can be repaired with the updated antivirus signatures.

When the files were originally quarantined, they were compressed and encrypted to ensure that the stored version cannot continue to infect the local computer. Consequently, the Symantec Endpoint Protection client must extract the original file(s) from this quarantine packaging before it can be re-scanned.

During this file extraction process, a temporary file named DWHxxxx.tmp is created in the working folder of the Symantec Endpoint Protection client. This is typically within the %App Data%\Symantec\ folder, but in certain older builds of Symantec Endpoint Protection, it may also use the Windows %TEMP% folder. In newer versions of 12.1, the file will have the original extension of the quarantined item (e.g. DHWxxxx.exe).

Normally, this temporary file will not be scanned by the Symantec Endpoint Protection Auto-Protect function because Symantec Endpoint Protection is already handling the file, i.e. Symantec Endpoint Protection knows that it owns the file. However, if a third-party process accesses that file while it is being created, the Symantec Endpoint Protection Auto-Protect function will intercept this file access and will declare the file as untrusted because another process, possibly malicious, had accessed the file.

This will cause the file to be seen as a new file and untrusted. Accordingly, the file will be scanned. This results in an already quarantined and infected file getting rescanned.  Additionally, it will be treated as a suspect file and quarantined, resulting in a duplicate file being added to the local quarantine.

Finally, as each definition set is received by the Symantec Endpoint Protection client and the local quarantine is rescanned, the above process repeats, and the contents of the local quarantine are doubled.

Note: A similar quarantine rescan process applied to Symantec AntiVirus (SAV).

  

Resolution

The issue of multiple DWH files being created and retained has been improved in the latest versions of Symantec Endpoint Protection. Please see Related Articles for more information on obtaining an upgrade to the newest build, and for release notes for previous releases.

Based on the severity of the detections, there are some known workarounds that should resolve the issue. These are listed in order of preference:

  1. Disable rescanning of the local quarantine upon receipt of new virus definitions. 
    1. Open the Virus and Spyware policy > Windows Settings > Quarantine > Advanced Options
    2. Under "When New Virus Definitions Arrive" select Do nothing.
      In Symantec Endpoint Protection 11.0 versions, this policy is called Antivirus and Antispyware Protection and Quarantine will be under General.
    3. Click OK and, if needed, assign the policy.
       
  2. Limit the size of the quarantine folder.
    1. In the right-hand panel of the Virus and Spyware policy, click the Cleanup tab.
    2. Under Quarantined Files, check Enable automatic deleting of quarantined files that could not be repaired (default: Delete after 30 days) and Delete oldest files to limit folder size at: (default 50 MB).
    3. Click OK and, if needed, assign the policy.
       
  3. Ensure that no processes or services (such as Windows Indexing Service for example) can access or monitor Symantec Endpoint Protection files.
     
  4. Ensure that the %TEMP% folder is not open when virus definitions are updated.
     
  5. Restart in safe mode, delete *.DWH files in the temporary folder, and empty the quarantine folder. 

 
If the quarantine, temporary folders, or xfer_temp folders have gotten too big for Windows to open or clear the contents, it may be necessary to do this from a command prompt. 

The instructions below are for a standard installation. If the client is installed somewhere other than the default location, please be sure to change the path for the files and folders in the commands below.  The commands will vary based on operating system, so choose the command that is appropriate for your computer.
 

Deleting .DWH files

Stop the Symantec service

To stop the Symantec Endpoint Protection service:

  1. Click Start, then Run
  2. Type: smc -stop
  3. Click OK

Deleting files from User Temp folder
Type the following command in command prompt. (The following string will vary depending on the user name.) Replace NAMEOFUSER with the user name of the desired Windows user for whom you want to empty the temp folder:

Windows 2000/XP/2003:
DEL /F /Q "C:\Documents and Settings\NAMEOFUSER\Local Settings\Temp"

Windows Vista/7/2008/8/2012/10:
DEL /F /Q "C:\Users\NAMEOFUSER\AppData\Local\Temp"


Deleting the contents of the temp folder at the root of C:\
Type the following command in command prompt:

DEL /F /Q C:\temp 


Deleting the contents of the Windows Temp folder
Type the following command in command prompt:

DEL /F /Q C:\WINDOWS\Temp 


Deleting the contents of the Defwatch temp folder
Type the following command in command prompt:

Windows 2000/XP/2003:

Symantec Endpoint Protection 12.1.5+
DEL /F /Q C:\Documents and Settings\All Users\Application Data\Symantec\Defwatch.DWH 

Windows Vista/7/2008/8/2012/10:

Symantec Endpoint Protection 12.1.5+
DEL /F /Q C:\ProgramData\Symantec\Defwatch.DWH 


Deleting the contents of the xfer and/or xfer_temp folders
Type the following command in command prompt. Replace silo with the appropriate build number:

Windows 2000/XP/2003:

Symantec Endpoint Protection 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\silo\Data\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\silo\Data\xfer\"

Symantec Endpoint Protection 11.x
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"
 

Windows Vista/7/2008/8/2012/10:

Symantec Endpoint Protection 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\xfer\"

Symantec Endpoint Protection 11.x
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

The Quarantine Folder

Note: The following instructions are to be done from the command prompt as attempting to open the quarantine folder in the Windows user interface may result in delays and Windows Explorer applications to hang due to the large number of files that can reside there.
 

Delete the Quarantine Folder
Type the following commands in the command prompt. Replace silo with the appropriate build number:

Windows 2000/XP/2003:

Symantec Endpoint Protection 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"

Symantec Endpoint Protection 11.x
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
 

Windows Vista/7/2008/8/2012/10:

Symantec Endpoint Protection 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"

Symantec Endpoint Protection 11.x
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"

 

Recreate the Quarantine Folder
Type the following commands in the command prompt. Replace silo with the appropriate build number:

Windows 2000/XP/2003:

Symantec Endpoint Protection 12.1
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"

Symantec Endpoint Protection 11.x
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
 

Windows Vista/7/2008/8/2012/10:

Symantec Endpoint Protection 12.1
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"

Symantec Endpoint Protection 11.x
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"

 

To start the Symantec Endpoint Protection service:

  1. Click Start, then Run.
  2. Enter the following: smc -start
  3. Click OK.

 

NOTE: It is important to recognize that there are applications, such as Windows Indexing Service, that routinely attempts to touch each file. Other applications known to touch these files are backup applications. In these cases, you should make an exclusion for *.DWH in that application, if possible.

Attachments