In an environment where Guest VMs are running VMware Tools 10.3.5 with Guest Introspection drivers installed, following symptoms are seen:

• Live NSX Upgrade on a host fails.
• The EICAR detection on one or more of the guest virtual machine does not seem to work post failed upgrade.
• Guest VM thin agent logs displays the message similar to: 
  
  No consumer for this file event

This issue occurs because the Guest Introspection File Filter driver (vsepflt.sys) was optimized in VMTools 10.3.5 to filter file events only if there is a security solution connected.

During an NSX upgrade, the driver loses solution connectivity and should be restored post upgrade. If the NSX upgrade fails, then due to a bug in the driver, the tracked solution count can go negative.

As a result, even after the upgrade resolution, the counter may not regain the correct value misleading the driver to stop forwarding file events to the security solution causing the loss of AV protection.

This issue is resolved in VMware Tools 10.3.10

Workaround:
To work around this issue, if unable to upgrade VMware Tools, restart the guest virtual machine.