How to cleanly remove the Network introspection driver (vnetflt.sys)
search cancel

How to cleanly remove the Network introspection driver (vnetflt.sys)


Article ID: 301397


Updated On:


VMware NSX Networking


The vsepflt.sys is the only driver required for normal Antivirus protection. The vnetflt.sys or vnetWFP.sys (for windows 10 and above) driver is called the NSX Network introspection driver. This driver captures networking events such as AD login/logout and all other normal networking traffic. This driver can be safely removed and does not effect AV if the AV is not configured to use network introspection.

Starting from VMware Tools 10.2.5, vnetWFP driver will be installed on Windows 7 and above versions instead of vnetflt.


VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.0.x
VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.4.x


To remove the vnetflt.sys:


  1. Log in to vSphere Web Client.
  2. Mount VMware tools installer. (right click on VM > Guest > Install VMware tools > Interactive Install).
  3. Open auto play for Tools installing in the OS of the VM.
  4. Go to Setup64 and run as administrator.
  5. Modify Install > VMCI Driver Section > de-select NSX Network Introspection Driver > Finish.
  6. Reboot the VM.
    Note: This driver can only be removed If the VM is on at least 10.x version of VMware tools otherwise disable the driver in the registry. For more information, see Windows VM with NSX Network Introspection driver lose TCP connectivity (2148218).


Additional Information

简体中文如何彻底移除网络自检驱动程序 (vnetflt.sys)