CrowdStrike has flagged NSX File and Network Inspection Drivers on a VM
search cancel

CrowdStrike has flagged NSX File and Network Inspection Drivers on a VM

book

Article ID: 436162

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention VMware vSphere ESXi

Issue/Introduction

CrowdStrike flags VM's with NSX File Introspection and NSX Network Introspection Drivers
These drivers are installed by VMware Tools and typically seen in NSX or VCF environments
In some cases this driver can be installed by checking "Full Install" of the VMware Tools 

Example of installed drivers

Environment

VMware NSX
VMware vDefend
VMware ESXi

Cause

Both the NSX driver and CrowdStrike use the Windows Filtering Platform (WFP) to inspect traffic, causing conflicts that look like malicious interference. 

Resolution

If the VM is no longer in an NSX environment and removal of the drivers is necessary to be compliant. You can remove the drivers through VMware Tools Setup. 

To remove the vnetwfp.sys, vnetflt.sys, and vsepflt.sys)

Log in to vSphere Web Client.
1. Mount VMware tools installer. (right click on VM > Guest > Install VMware tools > Interactive Install).
2. Open auto play for Tools Installer in the OS of the VM.
3. Go to Setup64 and run as administrator.

Or Start the VMTools installer if it has been installed separately on the VM
1. By either using the installer executable or
2. Going to the installed apps menu in the OS and choosing to 'modify' VMware Tools

Modify Install > VMCI Driver Section > de-select NSX Network Introspection Driver and NSX File Introspection Driver > Click Finish.

Reboot the VM.

Example of correct removal/uninstall of drivers


Additional Information

More details about VMware Tools NSX File and Network Introspection Drivers, including automation.
https://knowledge.broadcom.com/external/article/301397/how-to-cleanly-remove-the-network-intros.html

Powered by Wolken Software