VMWare guest BSODs with a driver related stop code after installing or updating KES [KES for Windows]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Description

VMWare guest using Kaspersky products hanging or crashing due to driver conflicts between drivers used by VMWare NSX (vnetWFP.sys, previously vnetflt.sys) and Network Threat Protection component.

This problem is known to happen with following versions of KES and VMware Tools:

• KES 11.6 with VMWare Tools 10.0.9
• KES 11.6 and 11.7 with VMWare Tools 11.3.5
• KES 12 with VMWare Tools 10.1.7

Troubleshooting steps

1. Update VMWare Tools
   Sometimes there may be a bug in the driver built into VMWare Tools, and ESXi updates its images only through manually installed patches, and it compares installed version only to the version in it's storage, so even if ESXi says that the VM has current version of VMWare Tools, it may actually be outdated. Because of that, a new VM may run with outdated drivers.
   ESXi and VMWare Tools compatibility matrix: https://interopmatrix.vmware.com/Interoperability?col=1,&row=39,&isHidePatch=true&isHideGenSupported=false&isHideTechSupported=false&isHideCompatible=false&isHideNTCompatible=false&isHideIncompatible=false&isHideNotSupported=true&isCollection=false
   Latest supported VMWare Tools version for ESXi 6.5 and 6.7: https://packages.vmware.com/tools/releases/12.1.5/windows/
   VMWare Tools for ESXi 7.0 and newer: https://packages.vmware.com/tools/releases/latest/windows/

2. If that did not help, uninstall NSX Network Introspection drivers of VMWare Tools: https://kb.vmware.com/s/article/2149764
   This is the driver that is causing the conflict on VMWare's side, therefore removing it will resolve the conflict and should resolve the issue.

Next solution is temporary and should not be used in production for extended periods of time.

Disable Network Threat Protection in KES settings or in the policy, if it's controlled by KSC.
Network Threat Protection is using klwfp.sys driver, and that driver is causing the conflict with vnetWFP.sys. With that component turned off, the driver loads on startup, but doesn't do anything, avoiding conflict with vnetWFP in most cases.
Open KES Window -> Settings -> Network Threat Protection -> switch Network Threat Protection off
Open KES policy properties -> Essential Threat Protection -> Network Threat Protection -> Uncheck Network Threat Protection checkbox

If nothing helps, submit the case to the Kaspersky support with traces, GSI report including Windows event logs and a full memory dump.

Related Information

How to collect KES traces: https://support.kaspersky.com/kes11/diagnostics/14364

How to collect a full memory dump: https://support.kaspersky.com/common/diagnostics/10659

Link to GSI: https://media.kaspersky.com/utilities/ConsumerUtilities/GSI-6.2.2.43.exe