I noticed a problem after recently deploying NOD32 v2.5 in our environment. I have replicated an issue that after installing NOD32 AV client, Outlook 2003 will no longer close correctly. This is happening on computers configured in cached Exchange (i.e. laptops) but I have not noticed the problem on any of the dekstops.

This issue has occured on several different models of computer, so there is no common thread on the hardware. Also, Outlook was patched with the latest SP and Windows XP has all the latest patches and device drivers. In fact it happens whether or not the OS and drivers are updated.

I can repeat this problem and correct it by closing NOD32 completely out and then Outlook will open and close normally. As soon as you engaged NOD32 (with or without EMON) Outlook.exe hangs and must be terminated with Task Manager. So I am pretty certain this is an issue with NOD32. Any ideas?

Interesting..is this across the board on your network..or just with a few specific users? Curious what the size of their mailbox is....if there's a relationship..such as this just happens with user that have a large mailbox.

An experiment..exclude the .OST and .OAB files from AMON.

The common thread seems to be anyone with a cached setup using .ost as a replica inbox. Some users have large mailboxes and some do not. In addtion, it does not, as I previously indicated, matter if I enable or disbale EMON. Still get the same problem.

{QUOTE-> In addtion, it does not, as I previously indicated, matter if I enable or disbale EMON. Still get the same problem. <-QUOTE}


I had caught that the first time...but what about if you set the OST and OAB as exclusions in AMON...they'll be files in the users profile directory. Exclude that whole directory for a test.
By default...C:\Documents and Settings\username.domain\Local Settings\Application Data\Microsoft\Outlook

AMON ==/== EMON.

I run Outlook 2K3 on my laptop that I'm writing from right now..she runs in cached mode from our Exch 2K3 server.

Also look for leftover COM plugins in Outlook from prior AV programs....remove them. That's deep in your options of Outlook.

Well, continuing my investigation, I recently reloaded a Dell Latitude D100 from scratch. Updated BIOS, CDR Firmware, Installed XP SP2, Patched, Installed Office 2003 and Patched that up completely. Then I installed NOD32 and patched it. I did not have the problem on that machine after all of that. But, there is one subtle difference with that machine. It has never been off the network and one of our mail admins set up Outlook clients to connect remotely to their mailboxes through our OWA http: server. That (now) is the only difference between a brand new Thinkpad that was completely patched up and the older Dell which got a fresh install of XP/drivers/firmware. So I am wondering if the dual access of Outlook using http is causing havoc with IMON/EMON. But I disabled EMON on the other machine and it still did the same thing.

Just to be clear....you said "set up Outlook clients to connect remotely to their mailboxes through our OWA http: server."

You mean Outlook 2003 RPC over HTTP?
Or...just Outlook Web Access..through Internet Exploader?

IBM Thinkpads..my favorite! :thumb:

But that brings to mind...Lenovo has been shipping the Thinkpads with Symantec Corp Edition pre-installed...which goes to my mentioned earlier...any prior AV products installed? If so...are their Outlook COM plugins fully removed? And I'd delete the extend.dat file also...let a fresh virgin one be recreated.

For the Outlook in cached mode/offline...take a look in the Outlook hidden folder in the users profile..you'll see what I mentioned to try excluding it in AMON as a test...those .OST files are rather hefty..and numerous. You're not hurting protection...you still have EMON, and most importantly..your Exchange Server is running XMON.

Yes, I meant RPC over HTTP. I didnt do the setup on the TP but I let the tech know he should remove the Symantec AV. I was called in at 1AM to fix it, but I dont recall any other AV client. Since I have noticed that I have this problem on all the clients set to access email in this particular way, I got hold of a Toshiba that is doing the same thing. It dawned on me yesterday about the RPC/HTTP deal which is the domain of IMON. When I disabled IMON the Outlook hand ceased. So now I am considering what I have to do to throttle back IMON protection to prevent this from happening. But it would be nice if Eset could examine this phenomena and work out an analysis. For now my solution will have to be to disable IMON on cached remote clients.

{QUOTE-> I didnt do the setup on the TP but I let the tech know he should remove the Symantec AV. I was called in at 1AM to fix it, but I dont recall any other AV client. <-QUOTE}

I would definitely, in addition to removing all Symantec AV related stuff in Add/Remove programs...I would also go into Outlook and ensure the COM plugin is not there..and still yank the extend.dat file.

My laptop that I'm writing from is also a Thinkpad...but clean install of XP..then right to NOD32..no history of Symantec.

I have also noticed outlook.exe crashing while IMON is enabled. This occurrs on our Outlook 2003 clients when they have Cached Exchange Mode turned on. So far, I have only noticed that disabling IMON on the systems cures the crashes. We have other clients in the office that use both Outlook XP and Outlook 2003 with Cached Exchange Mode turned off and have not noticed the crashes with those users.

I'm experiencing a similar problem except disabling AND stopping EMON is effective. (Uncheck EMON enabled... and then hit Quit. Kill all outlook.exe processes, restart.)

No COM Add Ins... No Symantec, though these were former symantec users. Happens on all Win 2k3 and Win XP clients.

UPDATE: Disabling EMON is not always effective. Disable and stop IMON and EMON does the trick (RPC over HTTPS related I'm sure).

UGH! RPC is dying forcing a restart on client machines after 60 seconds. Windows error report says this was caused by ESET nod32.

Prior Symantuck users...did you run the Symantec removal tool after add/remove programs to get red of remnants? Try the TCP/Winsock repair utility in case the tcp stack got mangled?

Yes I did run Norton Remover. Disable and Quit IMON + Reboot is the solutions for now. EMON seems OK.

I talked with ESET support:

An ESET Customer Care Representative has updated this case with the following information:
Hello
Please click on the NOD32 icon down to the right by the system clock.

The Control Center will open.

In the window, click IMON.

In the Window to the right click "Quit".

Click "Yes" to the question.

* Reboot the machine *

We are getting rid of IMON in the next major release and it is safe to no longer use it. This is the solution for the issue.

Thank you

Is this a general bit of advice {QUOTE-> it is safe to no longer use it <-QUOTE}
ie - turn off IMON???

{QUOTE-> Is this a general bit of advice
ie - turn off IMON??? <-QUOTE}

Yes, this is a direct quote of what ESET support told me.

{QUOTE-> Yes, this is a direct quote of what ESET support told me. <-QUOTE}When it has been replaced (version 3.0), sure, until then no, this is the first layer of your defence, do NOT turn this off.

Cheers ;D