Skip to main content

ThreatDown causing Outlook to crash

Updated: 

Issue

This article helps troubleshoot crashes or hangs in the Microsoft Outlook desktop client, potentially caused by the ThreatDown endpoint agent. Outlook crashes have been linked to conflicts with ThreatDown's Exploit Protection, especially the Block potentially malicious email attachments setting or Exploit protection applied to Outlook.exe, particularly after certain Microsoft Outlook updates.

Symptoms

  • Outlook crashes on launch, during email composition or reply, attachment handling, or randomly.
  • Event Viewer shows faults in outlook.exe or ThreatDown-related modules.
  • Issue occurs only with ThreatDown agent installed/enabled.

Before Starting:

  • Ensure you have admin access to the ThreatDown console and the affected machine.
  • Update Outlook and Windows to the latest versions via Microsoft Update.
  • Check for recent ThreatDown agent updates in the console via the Endpoints page.

Resolution

Work through the following tasks in order until the issue is resolved.

Task 1: Check for Detections or Blocked Connections

First, rule out obvious blocks:

  1. In the ThreatDown console, review the Detection Center or Detection Log for any entries related to Outlook, such as blocked attachments, exploits, or suspicious activity.
  2. Check DNS Filtering logs if enabled for blocked Microsoft or Outlook-related domains such as outlook.office.com and live.com subdomains.
  3. If detections exist, add Website or IP address exclusions as needed and test again.

Task 2: Test by Disabling Exploit Protection

Exploit Protection is a common culprit for Outlook conflicts.

  1. In the console, go to the policy assigned to the affected endpoint.
  2. Navigate to Protection settings > Exploit Protection.
  3. Temporarily disable Block potentially malicious email attachments (Outlook desktop only)
  4. Save the policy.
  5. On the endpoint: Go to Endpoints > select affected device(s) > Actions > Check for Protection Updates.
  6. Wait a few minutes for the policy to update on the device.
  7. Reproduce the issue.
    • If the issue resolves: Keep the endpoint in an isolated policy with only that setting disabled.
    • If the issue does't resolve: In the policy, go to Manage protected applications and disable Outlook.exe from there.
      1. Attempt to reproduce the issue again. 
      2. If the issue persists, disable Exploit Protection entirely and test again.
      3. If the issue is resolved at this point, contact support for a permanent fix or exclusion.
      4. If the issue still persists, proceed to full layer testing.

Task 3: Perform Full Layer Testing If Needed

If disabling Exploit Protection alone doesn't help, systematically isolate the problematic layer.

Follow the layer testing process from Troubleshooting endpoint performance issues to identify the problematic protection layer:

  1. Enable debug logging on the endpoint.
  2. In OneView, disable layers systematically:
    1. Start with EDR if enabled.
    2. Then disable Real-Time Protection sub-layers individually in this order: 
      1. Malware Protection
      2. Ransomware Behavior Protection
      3. Web Protection
    3. Wait 2-3 minutes after each layer is disabled to ensure the policy is applied to the endpoint.
    4. Attempt to reproduce the crash.
  3. If disabling a layer prevents crashes, re-enable other layers and confirm by reproducing the issue with only the problematic layer enabled.
  4. Collect logs during reproduction.
    • Required logs based on layer:
      • Web Protection issues → Debug logs
      • Malware layer → Debug logs & Procmon (Process Monitor)
      • Exploit layer → Debug logs
      • Behavior protection → Debug logs & Procmon
      • EDR (critical - collect twice!):
        • With RTP disabled + EDR Enabled → Reproduce issue → Collect Debug logs, Procmon, Xperf logs & note exact timestamp.
        • With RTP disabled + EDR Disabled → Reproduce (it should work) → Collect the same logs & timestamp for comparison.
    • How to collect:
      • Debug logs: Already enabled; Collect diagnostic logs
      • Procmon: Download Sysinternals Process Monitor, run it during reproduction, save capture. 
      • Xperf (for EDR): Use Windows Performance Recorder or xperf commands to capture traces during the test.

Task 4: Contact Support

Open a Support ticket and provide:

  • Description of symptoms and reproduction steps.
  • Identified problematic layer (if found).
  • Debug logs, Procmon capture (.pml), and any Event Viewer errors from Outlook crashes.
  • Endpoint details: OS version, Outlook version/build, ThreatDown agent version, policy/group.
  • Number of affected machines and environment info.

Support will review logs, confirm if it's a known issue (e.g., Exploit Protection conflict), and provide fixes like policy exclusions, hotfixes, or agent updates.

Temporary Workarounds:

  • Keep Exploit Protection disabled (or specific Outlook settings off) until resolved.
  • Use Outlook Web App (outlook.office.com) as alternative.
  • Ensure no other security software conflicts.

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more