I stopped all VMWare Services, made them all manual Start, then started VMWare.  Sure enough, I couldn't get an IP Address until I started VMNAT,exe, and the service shows us as the Syswow64 version.  There are 3 other VMNAT,exe files on my PC, all in directories that have the words "Duplicate Data" in the folder name somewhere.  All the certificates for those application files expired in 2010, and just feature SHA1,  The Syswow64 version expires in 2026, and includes SHA256.  So, it seems that the Syswow64 version is the correct one - though VMWare perhaps could have cleaned up the old ones, and found a different place to put this application?  (I have had VMWare Workstation for a long time, multiple upgrades.)

What it doesn't explain is the network activity.   Yesterday at about 1 PM, Norton detected VMNat.exe attempting to transmit data to 104.28,1.101:80, and blocked the attempt, accusing VMNat.exe as the culprit.  My firewall logs showed that a similar attempt was successful at about 11:30 that morning, for 54 seconds to the same IP Address.  A lot of data can be transferred in 54 seconds.  The previous time the IP Address was 166.52.27.58.  Both were from my base OS Windows system, and I never use it to browse.

So, I am still worried that somehow VMNAT,EXE is corrupted somehow.

I am afraid it is more likely it is the VM(s) that are infected with malware rather than having a corrupted vmnat.exe.

Whatever network connections you see in the VM through command prompt netstat, will show up as connections in the Windows host with [vmnat.exe] as the binary executable involved in the connection using netstat -b in the command prompt (Admin).

The "rules of the road" for internet safety/security still apply when using VMs to browse the internet. It is not any more safe than using the host machine; in some instances it might be even less safe.

On example is using VMs via NAT to surf internet on a public WiFi. I haven't used Windows in a public WiFi for a while. But I recall that with Windows 7, you have the choice to choose "Public network" when connecting to a public WiFi such as in hotels/airports/etc. The problem with VMs through NAT is that its network profile won't change as it still see the VMNAT as the same network. So if it is set up for "Home Network" more ports are open and the VM connect through NAT on a public WiFi, the "Home Network" profile remains and in theory makes it more vulnerable.

Hi,

If the signature is valid, the file is not corrupted. Once you change a single bit in the file, the signature is no longer valid.

Btw, your ip addresses, one goes to cloudflare and the other one to verizon (it mentions swipper, I have no idea what that means)

If you had no guests running at the time then it would be at least a bit strange to have your vmnat.exe connect to something.

If OTOH there was a guest running then it is completely expected that it connects to "somewhere" as an OS connects to the internet all the time.

If it was my machine and I was suspicious of this I would run a network sniffer and look at the captures afterwards to see what it was doing.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva