Endpoint Protection

Hey Guys, we have been seeing this on several workstations that we manage. The files all start with DWH. We have taken the machines offline and scanned them heavily with multiple products and nothing comes back. We cannot figure out what these are all about. Has anyone else seen these DWH*.tmp files in the windows temp folder? I have attached event data from two different workstations at different customers. Both running Windows XP SP3.  Seems to get detected once or twice a day. Possibly tied to a logon on the system.

ALERT DETAILS
-----------------------------------
CATEGORIES:
DEVICE:
ALERT CONFIGURATION: Symantec Antivirus - Security Risk Handled
TIMESTAMP: 6/10/2010 10:20:32 PM (Eastern Standard Time)

WINDOWS EVENT
-----------------------------------
TIME OF EVENT: 6/10/2010 10:18:30 PM
EVENT LOG: Application
EVENT SOURCE: Symantec AntiVirus
EVENT ID: 51
SEVERITY: Error
DESCRIPTION:


Security Risk Found!Trojan.Gen in File: C:\WINDOWS\Temp\DWH1975.tmp by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied. Action Description: The file was left unchanged.

ALERT DETAILS
-----------------------------------
CATEGORIES:
DEVICE:
ALERT CONFIGURATION: Symantec Antivirus - Security Risk Handled
TIMESTAMP: 6/11/2010 6:19:57 AM (Eastern Standard Time)

WINDOWS EVENT
-----------------------------------
TIME OF EVENT: 6/11/2010 6:18:17 AM
EVENT LOG: Application
EVENT SOURCE: Symantec AntiVirus
EVENT ID: 51
SEVERITY: Error
DESCRIPTION:


Security Risk Found!Trojan Horse in File: C:\WINDOWS\Temp\DWH104D.tmp by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied. Action Description: The file was left unchanged.

What is the version of SEP running?


Title: 'When new virus definitions are in place and the quarantine is being scanned, a DWHxxx.tmp file is created and detected by Auto-Protect'
Document ID: 2007111911135548
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2007111911135548?Open&seg=ent

All the machines that are being affected are running MR6. We will go ahead and purge the quarantine. Thanks a LOT!

BTW Is there anyway to clear the quarantine on a client from the SEPM?

I am not finding any such way .But you can limit the size of quarantine folder.It can be done through AV/AS policy--->Quarantine ..

You can clear the quarantine from the SEPM by going to the console and doing:

1. Click on Monitors on the left.
2. Click on the Logs tab.
3. Under Log type choose Risk.
4. Select the time range you would like to view back to (I've always chose the past month)
5. Click Advanced Settings >>
6. Enter the computer name in question under the Computer field.  I also recommend changing the Limit field at the bottom to something higher.
7. Click View.
8. Under the Action drop down is Delete from quarantine.   You'll have to select what you would like to remove or change the Selected drop down to All.   Click Start.   The next time the client checks in it will delete the items from the quarantine.

I'm seeing the same issue running 11.0.6005.562    

In Windows I've setup my "temp" environmental variable to c:\temp

In Safemode I've deleted all the files, including hidden files, in c:\temp and the problem persistes.  I've also deleted all the files in the quarantine.

My system is constantly getting pop-ups that Bloodhound.Exploit.233 is found...but the machine is clean.    I've followed the stops to clear Bloodhound, shutting off system restore, etc.  Last count I had over 900 files detected, and they all begin with DWH
 
This was supposedly fixed in fix 4, but I"m at fix version 6.  http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/8717bfa8c6b9da4d8825755f00719e2b?OpenDocument

Any other suggestions?  The only solution I have right now is to remove  SEC.

Symantec has "fixed" this with several MR releases.  By "fixed", I mean accomplished no resolution.  We are also on the most current version 11.0.6005.562. 

I am the Endpoint administrator at my company and we are getting flooded with calls each day from people who get some kind of malware or virus file that the EP client blocks or quarantines (a real threat), we go around and use other 3rd party tools to clean the stuff Symantec EP does nothing about, then the DWH temp files start to appear.  We get more calls, spend time checking things again and find nothing.  I was just told MR1 for 11.0.6 is being worked on but there is no current release date.  11.0.6 MR1 is now supposed to fix the problem.

First of all,  how is it that the Symantec EP client only acts on certain components of the actual threats, leaving other garbage to be cleaned up?  Second, why is it that I have to spend HOURS each week chasing ghosts rather than getting all my other real work done?  I get that programming is complicated, there are bugs, there are new versions of malware/viruses all the time, etc.  We are paying tens of thousands of dollars in software and software support costs, plus the hourly wages of the employees cleaning this stuff up, plus the man hours lost to the cleanup that should have been spent doing other things.  To not have the DWH temp file issue fixed by now is without excuse.  We pay Symantec to do the hard stuff, not to come up with reasons why they can't.

Were having problems with this as well. For us it's been the bloodhound.79 detection with multiple DWH*.temp files being quarantined in c:\users\ID\AppData\Local\Temp directories.

It just so happens that this occured on a high level manager and were in the evalution stages. Doesn't bode well for me trying to prove why we should go with SEP over another product.

well the document said that "Symantec Endpoint Protection Maintenance Release 4 (11.0.4202.75). You can apply this patch over Symantec Endpoint Protection MR4 or MR4 MP1" unfortunately it is happening in the current SEP 11 MR 6 companywide. So you guys here not alone :-|

I have Endpoint 11 and operate under Windows 7 Home edition, I started getting this problem with the DWH files after I reinstalled Windows 7 to the point where Symantec was constantly identifying those tmp files.  I tried most of the solutions above to no avail.  The solution I stumbled upon immediatly corrected the issue.  SOLUTION: Open the Endpoint control panel, go to Proactive Threat Protection Settings, under the tab Scan Details uncheck the block for Use Defaults Defined by Symantec, click ok and closeout the control panel.  No reboot required.  Seems to be working for my situation as I no longer receive the DWH*  tmp file trojan warning and quarantine.