How to cleanly remove the NSX Network Introspection driver from VMware tools

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention VMware NSX VMware NSX Firewall VMware NSX for vSphere

Issue/Introduction

The NSX File Introspection Driver (vsepflt.sys) is the only driver required for normal 3rd Party AV protection. The NSX Network Introspection Driver (vnetwfp.sys or legacy driver vnetflt.sys) captures networking events such as AD login/logout and all other normal networking traffic. Note that this driver is required and should not be removed if using functionalities like NSX Identity Firewall, NSX IDS/IPS, NSX Intelligence, vDefend Advance Threat Prevention.

If there is a requirement of removing the Network introspection driver (due to interoperability concerns) and the customer is not using any of the above functionalities, this article can be followed to remove the drivers.

Environment

VMware NSX for vSphere, VMware NSX-T, VMware vDefend Firewall, VMware vDefend Firewall with Advanced Threat Prevention, VMware vSphere ESXi, VMware Tools for Windows

Cause

There might be specific cases where the customer is not using any NSX and vDefend functionalities which require the NSX Network Introspection driver, but during installation the customer has chosen 'complete' installation or 'custom' installation and chosen the NSX Network Introspection driver as well. Now due to 3rd Party interoperability or other requirements the customer wants to remove the NSX Network Introspection driver from the Windows environment.

Resolution

To remove the vnetwfp.sys or vnetflt.sys:

Log in to vSphere Web Client.
(a) Mount VMware tools installer. (right click on VM > Guest > Install VMware tools > Interactive Install).
(b) Open auto play for Tools Installer in the OS of the VM.
(c) Go to Setup64 and run as administrator.
Or Start the VMTools installer if it has been installed separately on the VM
(a) By either using the installer executable or
(b) Going to the installed apps menu in the OS and choosing to 'modify' VMware Tools
Or you may refer to the "Specify VMware Tools Components in Silent Installation" section of VMware Tools administration guide (eg https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/tools/12-5-0/vmware-tools-administration-12-5-0/installing-vmware-tools/automatically-install-vmware-tools-on-multiple-windows-virtual-machines/specify-vmware-tools-components-for-silent-installations.html)
(a) Specify "NetworkIntrospection" in the "REMOVE" section
Modify Install > VMCI Driver Section > de-select NSX Network Introspection Driver > Finish.
Reboot the VM.

Additional Information

If somehow after attempting uninstallation through the VMTools installer, the vnetwfp or vnetflt files still exist in the drivers directory, you may manually disable the driver and delete it.

Kindly follow the below steps to delete the driver from drivers directory.

Run the command "sc query vnetwfp" to check the status and output will be RUNNING.

Run the command "sc stop vnetwfp" to STOP the driver and confirm this by running "sc query vnetwfp" again.

Then try to delete the drivers from the driver directory.

If the delete operation fails with an error saying that the file is open in another program

Disable the vnetwfp driver from registry by setting the start value to 4

Before proceeding to making changes to the registry, take a backup of the registry
The registry setting to modify is

Value: HKLM\SYSTEM\CurrentControlSet\Services\vnetwfp\Start
Type: REG_DWORD
Data: 4

Restart the VM after changing the registry settings.
After restart, we confirmed that the driver was shown as STOPPED by running the command "sc query vnetwfp"
Then try to delete the drivers from the driver directory.