Outlook 2003 and NOD32 Problem

Discussion in 'NOD32 version 2 Forum' started by joelburchett, Jul 18, 2006.

Thread Status:
Not open for further replies.
  1. joelburchett

    joelburchett Registered Member

    Joined:
    Jul 18, 2006
    Posts:
    5
    I noticed a problem after recently deploying NOD32 v2.5 in our environment. I have replicated an issue that after installing NOD32 AV client, Outlook 2003 will no longer close correctly. This is happening on computers configured in cached Exchange (i.e. laptops) but I have not noticed the problem on any of the dekstops.

    This issue has occured on several different models of computer, so there is no common thread on the hardware. Also, Outlook was patched with the latest SP and Windows XP has all the latest patches and device drivers. In fact it happens whether or not the OS and drivers are updated.

    I can repeat this problem and correct it by closing NOD32 completely out and then Outlook will open and close normally. As soon as you engaged NOD32 (with or without EMON) Outlook.exe hangs and must be terminated with Task Manager. So I am pretty certain this is an issue with NOD32. Any ideas?
     
  2. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Interesting..is this across the board on your network..or just with a few specific users? Curious what the size of their mailbox is....if there's a relationship..such as this just happens with user that have a large mailbox.

    An experiment..exclude the .OST and .OAB files from AMON.
     
  3. joelburchett

    joelburchett Registered Member

    Joined:
    Jul 18, 2006
    Posts:
    5
    The common thread seems to be anyone with a cached setup using .ost as a replica inbox. Some users have large mailboxes and some do not. In addtion, it does not, as I previously indicated, matter if I enable or disbale EMON. Still get the same problem.
     
  4. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England

    I had caught that the first time...but what about if you set the OST and OAB as exclusions in AMON...they'll be files in the users profile directory. Exclude that whole directory for a test.
    By default...C:\Documents and Settings\username.domain\Local Settings\Application Data\Microsoft\Outlook

    AMON ==/== EMON.

    I run Outlook 2K3 on my laptop that I'm writing from right now..she runs in cached mode from our Exch 2K3 server.

    Also look for leftover COM plugins in Outlook from prior AV programs....remove them. That's deep in your options of Outlook.
     
    Last edited: Jul 18, 2006
  5. joelburchett

    joelburchett Registered Member

    Joined:
    Jul 18, 2006
    Posts:
    5
    Well, continuing my investigation, I recently reloaded a Dell Latitude D100 from scratch. Updated BIOS, CDR Firmware, Installed XP SP2, Patched, Installed Office 2003 and Patched that up completely. Then I installed NOD32 and patched it. I did not have the problem on that machine after all of that. But, there is one subtle difference with that machine. It has never been off the network and one of our mail admins set up Outlook clients to connect remotely to their mailboxes through our OWA http: server. That (now) is the only difference between a brand new Thinkpad that was completely patched up and the older Dell which got a fresh install of XP/drivers/firmware. So I am wondering if the dual access of Outlook using http is causing havoc with IMON/EMON. But I disabled EMON on the other machine and it still did the same thing.
     
  6. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Just to be clear....you said "set up Outlook clients to connect remotely to their mailboxes through our OWA http: server."

    You mean Outlook 2003 RPC over HTTP?
    Or...just Outlook Web Access..through Internet Exploader?

    IBM Thinkpads..my favorite! :thumb:

    But that brings to mind...Lenovo has been shipping the Thinkpads with Symantec Corp Edition pre-installed...which goes to my mentioned earlier...any prior AV products installed? If so...are their Outlook COM plugins fully removed? And I'd delete the extend.dat file also...let a fresh virgin one be recreated.

    For the Outlook in cached mode/offline...take a look in the Outlook hidden folder in the users profile..you'll see what I mentioned to try excluding it in AMON as a test...those .OST files are rather hefty..and numerous. You're not hurting protection...you still have EMON, and most importantly..your Exchange Server is running XMON.
     
  7. joelburchett

    joelburchett Registered Member

    Joined:
    Jul 18, 2006
    Posts:
    5
    Yes, I meant RPC over HTTP. I didnt do the setup on the TP but I let the tech know he should remove the Symantec AV. I was called in at 1AM to fix it, but I dont recall any other AV client. Since I have noticed that I have this problem on all the clients set to access email in this particular way, I got hold of a Toshiba that is doing the same thing. It dawned on me yesterday about the RPC/HTTP deal which is the domain of IMON. When I disabled IMON the Outlook hand ceased. So now I am considering what I have to do to throttle back IMON protection to prevent this from happening. But it would be nice if Eset could examine this phenomena and work out an analysis. For now my solution will have to be to disable IMON on cached remote clients.
     
  8. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I would definitely, in addition to removing all Symantec AV related stuff in Add/Remove programs...I would also go into Outlook and ensure the COM plugin is not there..and still yank the extend.dat file.

    My laptop that I'm writing from is also a Thinkpad...but clean install of XP..then right to NOD32..no history of Symantec.
     
  9. kaisernc

    kaisernc Registered Member

    Joined:
    Feb 6, 2007
    Posts:
    4
    I have also noticed outlook.exe crashing while IMON is enabled. This occurrs on our Outlook 2003 clients when they have Cached Exchange Mode turned on. So far, I have only noticed that disabling IMON on the systems cures the crashes. We have other clients in the office that use both Outlook XP and Outlook 2003 with Cached Exchange Mode turned off and have not noticed the crashes with those users.
     
  10. glennpratt

    glennpratt Registered Member

    Joined:
    Jun 25, 2007
    Posts:
    4
    I'm experiencing a similar problem except disabling AND stopping EMON is effective. (Uncheck EMON enabled... and then hit Quit. Kill all outlook.exe processes, restart.)

    No COM Add Ins... No Symantec, though these were former symantec users. Happens on all Win 2k3 and Win XP clients.

    UPDATE: Disabling EMON is not always effective. Disable and stop IMON and EMON does the trick (RPC over HTTPS related I'm sure).
     
    Last edited: Jun 25, 2007
  11. glennpratt

    glennpratt Registered Member

    Joined:
    Jun 25, 2007
    Posts:
    4
    UGH! RPC is dying forcing a restart on client machines after 60 seconds. Windows error report says this was caused by ESET nod32.
     
  12. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Prior Symantuck users...did you run the Symantec removal tool after add/remove programs to get red of remnants? Try the TCP/Winsock repair utility in case the tcp stack got mangled?
     
  13. glennpratt

    glennpratt Registered Member

    Joined:
    Jun 25, 2007
    Posts:
    4
    Yes I did run Norton Remover. Disable and Quit IMON + Reboot is the solutions for now. EMON seems OK.

    I talked with ESET support:

    An ESET Customer Care Representative has updated this case with the following information:
    Hello
    Please click on the NOD32 icon down to the right by the system clock.

    The Control Center will open.

    In the window, click IMON.

    In the Window to the right click "Quit".

    Click "Yes" to the question.

    * Reboot the machine *

    We are getting rid of IMON in the next major release and it is safe to no longer use it. This is the solution for the issue.

    Thank you
     
  14. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
    Is this a general bit of advice
    ie - turn off IMONo_O
     
  15. glennpratt

    glennpratt Registered Member

    Joined:
    Jun 25, 2007
    Posts:
    4
    Yes, this is a direct quote of what ESET support told me.
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    When it has been replaced (version 3.0), sure, until then no, this is the first layer of your defence, do NOT turn this off.

    Cheers :D
     
Thread Status:
Not open for further replies.