Norton诺顿v11.0 MR5经常对 DWH*.tmp文件报毒的解决办法

When new virus definitions are in place and the quarantine is being scanned, a DEW file is created and detected by Auto-ProtectArtic

Product(s)

Norton AntiVirus Corporate Edition
Endpoint Protection

Problem

1. DWH files are created and flagged as malicious by Auto-protect.

2. Items in quarantine double every time new definitions arrive.


Error

No specific "Errors" are logged, as these detections are valid and must be auctioned normally.
Cause

When the virus definitions are updated in SEP, there is an option to "Rescan the Quarantine". This enables the SEP client to inspect the files stored in the local quarantine and verify if any of them can be repaired with the updated AV signatures. When the files were originally quarantined, they were compressed and encrypted to ensure that the stored version cannot continue to infect the local machine. Consequently, the SEP client must extract the original file(s) from this quarantine packaging before it can be re-scanned.

During this file extraction process, a temporary file - named DWH####.tmp - is created in the working directory of the SEP client. This is typically within the "%App Data%\Symantec\" folder, but in certain older builds of SEP it may also use the windows %TEMP% folders. Normally, this temporary file will not be scanned by the SEP Auto Protect function because SEP is already handling the file, i.e. SEP knows that it owns the file. However, if a third-party process accesses that file while it is being created, the SEP Auto Protect function will intercept this file access and will declare the file as un trusted because another process, possibly malicious, had accessed the file.

This will cause the file to be seen as a "new" file and untrusted. Accordingly, the file will be scanned.  This results in an already quarantined and infected file getting re-scanned.  Accordingly, it will be treated as a suspect file and quarantined, resulting in a duplicate file being added to the local quarantine.

Finally, as each definition sets is received by the SEP client and the local quarantine is re-scanned, the above detailed process repeats and the contents of the local quarantine are doubled.
Solution

security

The issue of multiple DWH files being created and retained has been resolved in Symantec Endpoint Protection Release Update 6, Maintenance Patch 1 (TRU64 MP 1, 11.0.6100.645).  Apply this patch over Symantec Endpoint Protection Release Update 6 (RU64, 11.0.6000.548) or Release Update 6 a (11.0.6005.562).

If  unable to migrate at this time, here are workarounds that should resolve the issue. These are listed in order of preference.

A) Single Systems:

Disable rescanning of the local quarantine upon receipt of new virus definitions: edit the following policy components -
Antivirus and Antiphonaries policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
Ensure no process or services (such as Windows Indexing Service for example) can access/monitor SAVE/SEP files.
Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
Restart in safe mode, deleting *.DWH files in the temporary folder, cleaning the quarantine folder.
B) For a network with multiple affected systems

Open Symantec Endpoint Protection Manager (SE PM)
Select Policies
Select Antivirus and Antispyware Policy
Select Quarantine  
Click on the Cleanup Tab
Under Quarantined Files check mark "Delete oldest file to limit folder Size at ( X ) MB (Instead of X mentioned the Size of Quarantine Folder normally selected.)


原文连接: http://www.symantec.com/business ... 53&locale=en_US