Basically you are right. VMware cannot check every software for compatibility. Sure ... but what I didn't mention in the articles posted so far is, that NAV (Norton AntiVirus) and PGP (Pretty Good Privacy - encryption software) also waits until VMware Authentification Service is started.
Together with Sunbelt, that makes 3 software packages which uses services, which don't start until VMware is up and running. This concludes that there is most probably something wrong with the VMware code.
Anyway ... I found out during further tests that when disabling the Sunbelt's "Host Intrusion and Prevention System (HIPS)", the firewall starts properly. However I have no clue in how far HIPS is connected to VMware.
Here an excerpt from the HIPS documentation:
\---- cut here -
HIPS configuration
Parameters of the intrusion detection system can be set in the Intrusions section (see figure 1. The Intrusions section).
HIPS can detect and filter out the two most wide spread technologies used for execution of malicious codes: Buffer Overflow and Code Injection (injects malicious code into another process).
Figure 1. Intrusion Detection — Setting the intrusion prevention module
Buffer Overflow
The Buffer Overflow technology misuses insufficient control of application's input data. Unless size of read data is limited and controlled, an attacker may overwrite return address of the running program and execute their own code. However, this code is executed from the buffer reserved for data. This is then considered as a non-standard behaviour and detected by the HIPS module. Possible attempts on execution of possibly dangerous actions (process execution, file opening, network connection establishing, etc.) are blocked.
Block buffer overflow code execution
This option allows to disable running a code in case of a buffer overflow.
Log attempts to HIPS log
If this option is enabled, all detected intrusions are logged in the HIPS log (see chapter HIPS Log).
Don't show any alerts for this event type
Check this option to disable alert windows for intrusion attempts (see chapter Host Intrusions Alerts).
Use the Exceptions button to specify an executable to which this attack type check will not apply. Before setting an exception, check if the attempt is not a real intrusion.
Code Injection
The Code Injection technology is based on misusing of authorization of another running trustworthy process. The infected application (with corresponding authorization) writes a malicious executable code in the memory space of the process or it connects to the dynamic library of the process. By special calling of the operating system, the code is executed. This way the attacker makes their code being executed using the authorization of the trustworthy process.
The HIPS module detects and blocks execution of codes written by special calling of the operating system to the memory of a trustworthy process. In such cases, functionality of attacked application is usually not interfered.
Block executable code injection
Check this option to block executable code injection.
Log attempts to HIPS log
If this option is enabled, all detected intrusions are logged in the HIPS log (see chapter HIPS Log).
Don't show any alerts for this event type
Check this option to disable alert windows for intrusion attempts (see chapter Host Intrusions Alerts).
The Code injection technology is used by various legitimate applications — these applications will not function correctly. For such cases, Kerio Personal Firewall allows to define exceptions, i.e. list of applications which can use this technology. Exception for an application can be defined in the Code injection exceptions dialog (opened by the Exceptions option) where a relevant executable file can be browsed.
\---- cut here -
Even if VMware would have code which would trigger these firewall protection measures, there would be an alert (popup window) from the firewall. But there is none!
In any case, the firewall service should not be stopping!
Bye,
