How to cleanly remove the Network introspection driver (vnetflt.sys)
book
Article ID: 301397
calendar_today
Updated On:
Products
VMware vDefend Firewall
Issue/Introduction
The vsepflt.sys is the only driver required for normal Antivirus protection. The vnetflt.sys or vnetWFP.sys (for windows 10 and above) driver is called the NSX Network introspection driver. This driver captures networking events such as AD login/logout and all other normal networking traffic. This driver can be safely removed and does not effect AV if the AV is not configured to use network introspection.
Starting from VMware Tools 10.2.5, vnetWFP driver will be installed on Windows 7 and above versions instead of vnetflt.
Environment
VMware NSX for vSphere 6.2.x VMware NSX for vSphere 6.0.x VMware NSX for vSphere 6.1.x VMware NSX for vSphere 6.3.x VMware NSX for vSphere 6.4.x
Resolution
To remove the vnetflt.sys:
Log in to vSphere Web Client.
Mount VMware tools installer. (right click on VM > Guest > Install VMware tools > Interactive Install).
Open auto play for Tools installing in the OS of the VM.
Reboot the VM. Note: This driver can only be removed If the VM is on at least 10.x version of VMware tools otherwise disable the driver in the registry.