Configuring an anti-virus protection and exclusions on Server Virtualization Hyper-V Host
This is one of the most common discussions on the Internet (blogs and communities) about whether a Hyper-V Host really needs to have antivirus software installed. According to the book “Windows Server 2012 Hyper-V: Deploying Hyper-V Enterprise Server Virtualization Platform” by Zahir Hussain Shah, the author highly recommends installing antivirus software with exclusions on Hyper-V Host.
Image copy from Windows Server 2012 Hyper-V: Deploying Hyper-V Enterprise Server Virtualization Platform book
“Hyper-V as a server role also needs to be protected against malicious viruses and attacks. In fact, a Hyper-V role becomes more critical than any other server role. For example, if your IIS web server gets infected by a virus, and as a first precautionary step, you need to remove the IIS web server from the network for maintenance purposes; only your web services will be affected for some time, in this case. But if your Hyper-V server role gets infected with a virus and you have to take down the Hyper-V machine for maintenance, it might affect the virtual machine running on it.”
According to the book “Windows Server 2012 Hyper-V Cookbook” by Leandro Carvalho, the author recommends installing antivirus software on the Hyper-V Hosts and Virtual Machines with exceptions.
“Security is the prime concern in all scenarios and as a Hyper-V administrator and you need to make sure that there are no compromises on your servers, either physical or virtual.”
According to the book “Windows Server 2012 Hyper-V Installation and Configuration” by Aidan Finn, Patrick Lownds, Michel Luescher and Damian Flynn, the authors have noted:
“We highly recommend that you check the Microsoft knowledge base for recommendations and correct configurations. Also the Microsoft Support KB article 961804 is not yet updated for Windows Server 2012. Do not assume that your product will work on Windows Server 2012 just because it did on Windows Server 2008 R2.”
According to the book “Mastering Hyper-V 2012 R2 with System Center and Windows Azure” by John Savill, the author has noted:
“The Microsoft best practice is to run no additional applications on the Hyper-V host, and strictly speaking, this would include malware protection.”
“I personally lean a little more toward defense in depth. I prefer to have many layers of protection, which means malware support on the host. However, it’s critical that any malware solution does not interfere with the Hyper-V processes or the resources of virtual machines.”
“Failure to correctly exclude Hyper-V resources will result in problems with virtual machines starting and functioning correctly, as documented at http://support.microsoft.com/kb/961804/en-us.”
“While the risk of infection is low, if an infection did hit your Hyper-V server, the impact would be large. There may also be audit problems for hosts with no malware protection.”
In the book “Hyper-V Best Practices” by Benedict Berger, the author has noted:
“I have seen antivirus engines on Hyper-V hosts doing bad things such as breaking a virtual hard disk, deleting an essential system file, or just producing a very intense amount of storage IOs. Excluding all relevant files and folders regarding Hyper-V and its VMs, there is nothing left worth scanning on a Hyper-V host. If you are not bound by a compliance policy, I highly recommend that you do not install antivirus products on Hyper-V.”
With all these recommendations on whether or not we should install antivirus software on Hyper-V Host, my personal view is that even if we have to exclude much of the configuration and virtual machine files related to Hyper-V role, having a malware solution will be beneficial in protecting the remaining Windows system files and folders if configured properly. For the past 2 years, I have been using Microsoft System Center Endpoint Protection 2012 on the Windows Server 2012 Hyper-V Hosts in production environment and so far I have not faced any problem on the Hyper-V Hosts because of the antivirus software. Make sure that your antivirus software supports Windows Server 2012/ 2012 R2 Hyper-V. I would leave the audience to make their own decision. Here, I am sharing the configuration that I have done in my production Hyper-V environment.
Perform the following steps configuring an anti-virus protection and exclusions on Hyper-V Host:
Before configuring the anti-virus exceptions, we need to identify the default Virtual Hard Disks and Virtual Machines folder location paths. Note: Make use that antivirus software supports Windows Server 2012 Hyper-V.
1. Open Hyper-V Manager, select Hyper-V Host, and click on Hyper-V Settings. The Hyper-V Settings windows will open as given below.
2. In Hyper-V failover cluster environments, C:\ClusterStorage as shown in figure.
3. Open System Center Endpoint Protection antivirus software on the Hyper-V Host computer, click Settings tab, select Excluded files and locations, add the followings in File locations:
4. In Hyper-V failover cluster environments, in File locations: add C:\ClusterStorage.
5. In the System Center Endpoint Protection dialog box, select Excluded file types and add following in File extensions:
6. In the System Center Endpoint Protection dialog box, select Excluded processes under settings, add Virtual Machine Management Services (VMMS.exe) and VM worker process (VMWP.exe) in the Process names and Save changes.
I hope this article will help those who decide to install antivirus solution on their Hyper-V hosts.
- Deploy and Configure VM Scale Sets (VMSS) in the Azure Portal - February 24, 2019
- Configuring an Availability Set with the Azure Load Balancer - February 9, 2019
- Creating and Connecting Linux Ubuntu VM in Azure - December 29, 2018
- My Precious IT Books Collections - March 1, 2018
- Configuring Azure Traffic Manager using Performance Based Routing Method - January 20, 2018
- Configuring a Point-to-Site Connection to a VNet using Azure Portal - November 28, 2017
- Configuring a VNet-to-VNet VPN Gateway Connection Using the Azure Portal - October 27, 2017
- Configuring Azure VNet Peering by using the Azure Portal - October 19, 2017
- Using the Azure Portal to Create Virtual Networks, Add Subnets and Setting up a DNS Server Address - October 17, 2017
- Extend Azure Virtual Machine OS drive using Azure Portal - June 30, 2017