Endpoint Protection

Release notes for Endpoint Protection and Network Access Control 11
Article: TECH103087   |  Created: 2007-01-12   |  Updated: 2012-04-26   | 
Article URL http://www.symantec.com/docs/TECH103087

Migrating to Symantec Endpoint Protection 11.0.7200 (RU7 MP2)
Article: TECH187333   |  Created: 2012-04-25   |  Updated: 2012-04-25   | 
Article URL http://www.symantec.com/docs/TECH187333

This includes an improvement to the DWH issue:

Files re-detected during Defwatch scan
Fix ID: 2067778
Symptom: DWHxxxx.tmp files are being re-detected when Defwatch scan is running.
Solution: Fixed some scan issues, making the scan faster. Also created a separate folder to rescan Quarantine items that can be used to create exceptions.

Hope this helps!  Please do update this thread with your findings.

Is RU7 MP2 really going to fix this issue?

As there's been fixes for this issue in every release since RU5 with it not yet being resolved.

The only way many people have been able to control this issue is to continually keep deleting the quarantined items so a new definition file will not scan and duplicate the DWHxxx.tmp files.

From speaking with Symantec directly issue is caused by file being modified slightly while new definition download re-scans anything in quarantine folder. This slightly modified file is then re-quarantined as a separate DWHxxx.tmp file causing duplication.

Is RU7 MP2 really going to fix this issue?

Your problem statement, that Symantec has taken several runs at this issue already, has been noted by engineering as well.  Achitecturally, this is a difficult issue to address in a CRT release because of API changes required in our core components.  The best fix would be to rescan the threat in memory rather than temporarily writing to disk.  The temporary file will always be vulnerable to redetection by auto protect depending on the system configuration and other software running.

RU7 MP2 contains 2 improvements:

1) "Fixed some scan issues, making the scan faster".  Engineering estimated the scan performance improvements reduce the chances of AP redetection by 90%.  Since this is not a 100% solution, engineering added the second aspect for customers still suffering with this issue.

2) "Created a separate folder to rescan Quarantine items that can be used to create exceptions."  This option provides another 100% effective solution to the problem by allowing a scan exception to be created on the SEPM.  The new folder is used only for the temp rescan files.

The other two workarounds already mentioned in the thread should also be 100% effective:

1) Turn off the quarantine rescan feature, which provides limited value for most threats in the wild today.

2) Avoid use of "quarantine" action.

The architectural improvement to enable an in memory scan is tracked in our formal requirements management system and under discussion by product management for prioritization into a core team release.

As greg12 mentions, changing the Quarantine settings can only be done from the SEPM console by an SEP Administrator.

As SEP is installed on your home computer, is this an unmanaged installation? Ask your SEP admins to do another export of the package with the Quarantine section of the AV & spyware policy set to 'do nothing' when new virus definitions arrive as per the image below.

Alternatively, ask your SEP admins to specify a custom quarantine folder and add that custom folder to the central exclusion list. They must then export the installation package inlcuding the policies again. You must then re-install for the new policies to apply.