Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Symantec and DWH*.tmp files

  • Please log in to reply
3 replies to this topic

#1 nan0guy


  • Members
  • 12 posts
  • Local time:03:20 PM

Posted 08 August 2011 - 11:55 PM


My Symantec Endpoint Protection (11.0.6005.562) is detecting DWH*.tmp files in my Temp directory several times daily, amounting to hundreds of files that are being (generally) quarantined.
A quick Malwarebytes scan generated no results.

I would like to resolve this issue, so please let me know how to proceed.


BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,573 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:02:20 PM

Posted 09 August 2011 - 03:39 PM

Some readings show that an Uninstall and a reinstall of Endpoint fixes this.
Clear your Temp files.

Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 nan0guy

  • Topic Starter

  • Members
  • 12 posts
  • Local time:03:20 PM

Posted 10 August 2011 - 09:25 AM

OK, I followed those instructions.

As soon as i reinstalled Symantec Endpoint Protection, it began to detect Trojan.Gen risks in DWH*.tmp files again.

Further suggestions?


#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,091 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:20 PM

Posted 10 August 2011 - 02:03 PM

If you conduct a Google Search or browse the Symantec forums you will find numerous complaints about DWH***.tmp files.
From what I have read, the DefWatch Wizard (defwatch.exe and Dwhwizrd.exe) most likely generates the DWH****.tmp files. After virus definitions are downloaded, DefWatch is supposed to detect out-of-date virus definitions. During the process, quarantined threats are pulled out of the holding area and placed in a temp folder for scanning by Auto protection and DefWatch. When that occurs the Symantec scanning engine detects those versions of the previously quarantined files and the cycle keeps repeating itself.

The Dwhwizrd.exe file is used when a new set of definitions comes in....It is also used to re-scan files sitting in quarantine when new virus definitions are updated and installed.

What is the Dwhwizrd.exe file?

This was an explanation reportedly provided by a Symantec employee in response to a topic about the issue:

The DWH files are temp files that are created by our process called defwatch.exe. These files are quarantined threats that we pull out of quarantine to scan during a quick scan. This usually happens when new defs are applied. What we have seen in most cases, is the indexing service, or some other real-time scanner is touching the file and then auto-protect is re-scanning it.

Symantec AntiVirus, Trojan.gen, DWH*.tmp

Other than that I have not been able to find an official response from Symantec. However, there was a support article related to re-detections: Defwatch temp files are re-detected in temp folder
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users