Endpoint Protection

Expand all | Collapse all

DWH****.tmp

Jump to Best Answer
  • 1.  DWH****.tmp

    Broadcom Employee
    Posted 06-20-2010 02:32 PM
    Hey everyone,

       I have attempted to read up on this through the message board but I have not found a very good solution. I had a computer all of a sudden get HUNDREDS of these random DWH.tmp files, and it attempted to quarantine them, and SEPM called them a Bloodhound, and it looked like the network was hit hard with a virus. Well this issue actually makes Symantec completely stop working. It crashes it repeatedly, and it seemed like it started on one computer, and now it has spread through the entire network, and several machines are constantly getting these DWH****.tmp files... I have read to do this:

    This is how I fixed

    This is how I fixed it:

    • Stop the SEP service
    • Delete all of the .tmp files in c:\windows\temp
    • Delete all of the files in the SEP Quarantine folder
    • Delete all of the file sin the SEP Xfer folder
    • Restart the SEP service

    In some cases I had to delete 50,000 plus files, literally GB's of data.   I haven't seen a reoccurence on the machines where I've performed this process.

    ...but is there any word on if this is the only official response from Symantec on what to do? I have read that this doesn't seem to be a virus, but Definitions that are attempting to update from the DWHWZRD.exe? I need a solutuon because these pop-ups are hosing the entire network, and thus shutting down a business while we are chasing all of these files around trying to get user's machines in working order. I just don't understand how this could spread and jump to other computers.... I guess I am just real confused here. Anyways, down below you will see one of the pop-ups for better clarification, and YES, I am completely up to date with Symantec. We just bought it for this company last month!

    Scan type: Auto-Protect Scan

    Event: Security Risk Found!

    Security risk detected: Trojan.ByteVerify

    File: C:\Users\{user's name}\AppData\Local\Temp\DWH62F6.tmp

    Location: Unknown Storage

    Computer: {computer name}

    User: SYSTEM

    Action taken: Clean failed : Quarantine failed : Access denied

    Date found: Sunday, June 20, 2010  12:02:01 PM

    Thank you to anyone for their help with this.

    --Jeff



  • 2.  RE: DWH****.tmp

    Posted 06-20-2010 11:22 PM

    Hi,

    What version of SEP you are using? Some issues like this been fixed in MR4MP2. Do you know when DWH files been generated? For example: once got new definitions or during scheduled scan etc?

    - Disable rescanning of quarantine upon receipt of new virus definitions.
    - Ensure no process or services (such as Windows Indexing Service for example) can access/monitor our files.
    - Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
    - Restart in safe mode, deleting DWH files in the temporary folder, cleaning the quarantine folder.

    You can try the following as well:

    :: For a Stand Alone client  or a Single system ::
    1) Check for a Process DWHWIZARD.EXE in Processes and End that Process
    2) Run SymDelTemps and delete all the TMP Files (During Manual removal if you get any Error  Message stop the SMC Service)
    3) Delete all the Existing Virus Definitions and run a Repair for SEP
    4) Update SEP using Intelligent Updater or run Liveupdate (LUALL.EXE)

    :: For a Network with multiple systems ::
    1) Open Symantec Endpoint Protection Manager
    2) Goto Policies
    3) Select Antivirus and Antispyware Policy
    4) Select Quarantine
    5) Click on the Cleanup Tab
    6) Under Quarantined Files check mark "Delete oldest file  to limit folder Size at ( X ) MB (Instead of X mentioned the Size of Quarantine Folder you would like to use)

    This issue will be fixed in Ru6 MP1


  • 3.  RE: DWH****.tmp

    Broadcom Employee
    Posted 06-21-2010 10:59 AM
    Moin_Sobhan,

     
         I will be honest, I am new to SEP. I can tell you SEP is: 11.0.6005.562, but I don't know what MR4MP2 is, or Ru6 MP1. Can you explain those to me? I have heard them mentioned before, but I would like to know.

       Thanks for your help!!


  • 4.  RE: DWH****.tmp

    Posted 06-21-2010 11:02 AM
    hello woods, you are with the latest version.


  • 5.  RE: DWH****.tmp

    Broadcom Employee
    Posted 06-21-2010 11:38 AM
    Thanks Rafeeq,

        So how can I tell what is MR4MP2, etc.? Also, if I am at the latest, then why does this happen? The above suggestions worked, including the one from MIZSEP where he told me to delete them all. But it is also picking up a lot of files that are APQ****.tmp as well. It seems sort of similar, and it isn't as bad as the DWH files, but still. Any thoughts?


  • 6.  RE: DWH****.tmp

    Posted 06-21-2010 09:45 PM



  • 7.  RE: DWH****.tmp

    Broadcom Employee
    Posted 07-12-2010 12:45 AM
    yeah, i thought so, it is surprising how come the new release of 11.0.6 can have so many problem like this since the previous 11.0.5 doesn't have anything problem like this before.


  • 8.  RE: DWH****.tmp
    Best Answer

    Broadcom Employee
    Posted 09-09-2010 08:31 AM

    RU6 MP1 has been released and it has fix for the DWH tmp files. If you are still facing this issue, you can upgrade to RU6 MP1. This can be downloaded from https://fileconnect.symantec.com using the serial number.

    If you network is not on Version RU6 or RU6a then you will have to first upgrade it to RU6 or RU6a and then to RU6 MP1, this is the process for upgrade. Cannot upgrade directly to RU6 MP1.