Configuring an anti-virus protection and exclusions on Server Virtualization Hyper-V Host

This is one of the most common discussions on the Internet (blogs and communities) about whether a Hyper-V Host really needs to have antivirus software installed. According to the book “Windows Server 2012 Hyper-V: Deploying Hyper-V Enterprise Server Virtualization Platform” by Zahir Hussain Shah, the author highly recommends installing antivirus software with exclusions on Hyper-V Host.
File extensions & directories
Image copy from Windows Server 2012 Hyper-V: Deploying Hyper-V Enterprise Server Virtualization Platform book

Hyper-V as a server role also needs to be protected against malicious viruses and attacks. In fact, a Hyper-V role becomes more critical than any other server role. For example, if your IIS web server gets infected by a virus, and as a first precautionary step, you need to remove the IIS web server from the network for maintenance purposes; only your web services will be affected for some time, in this case. But if your Hyper-V server role gets infected with a virus and you have to take down the Hyper-V machine for maintenance, it might affect the virtual machine running on it.”

According to the book “Windows Server 2012 Hyper-V Cookbook” by Leandro Carvalho, the author recommends installing antivirus software on the Hyper-V Hosts and Virtual Machines with exceptions.

“Security is the prime concern in all scenarios and as a Hyper-V administrator and you need to make sure that there are no compromises on your servers, either physical or virtual.”

According to the book “Windows Server 2012 Hyper-V Installation and Configuration” by Aidan Finn, Patrick Lownds, Michel Luescher and Damian Flynn, the authors have noted:

Related Post  Deploy a new Virtual Machine from a Virtual Machine Template in System Center Virtual Machine Manager 2012 R2

“We highly recommend that you check the Microsoft knowledge base for recommendations and correct configurations. Also the Microsoft Support KB article 961804 is not yet updated for Windows Server 2012. Do not assume that your product will work on Windows Server 2012 just because it did on Windows Server 2008 R2.”

According to the book “Mastering Hyper-V 2012 R2 with System Center and Windows Azure” by John Savill, the author has noted:

“The Microsoft best practice is to run no additional applications on the Hyper-V host, and strictly speaking, this would include malware protection.”

“I personally lean a little more toward defense in depth. I prefer to have many layers of protection, which means malware support on the host. However, it’s critical that any malware solution does not interfere with the Hyper-V processes or the resources of virtual machines.”

“Failure to correctly exclude Hyper-V resources will result in problems with virtual machines starting and functioning correctly, as documented at http://support.microsoft.com/kb/961804/en-us.”

“While the risk of infection is low, if an infection did hit your Hyper-V server, the impact would be large. There may also be audit problems for hosts with no malware protection.”

In the book “Hyper-V Best Practices” by Benedict Berger, the author has noted:

“I have seen antivirus engines on Hyper-V hosts doing bad things such as breaking a virtual hard disk, deleting an essential system file, or just producing a very intense amount of storage IOs. Excluding all relevant files and folders regarding Hyper-V and its VMs, there is nothing left worth scanning on a Hyper-V host. If you are not bound by a compliance policy, I highly recommend that you do not install antivirus products on Hyper-V.”

With all these recommendations on whether or not we should install antivirus software on Hyper-V Host, my personal view is that even if we have to exclude much of the configuration and virtual machine files related to Hyper-V role, having a malware solution will be beneficial in protecting the remaining Windows system files and folders if configured properly. For the past 2 years, I have been using Microsoft System Center Endpoint Protection 2012 on the Windows Server 2012 Hyper-V Hosts in production environment and so far I have not faced any problem on the Hyper-V Hosts because of the antivirus software. Make sure that your antivirus software supports Windows Server 2012/ 2012 R2 Hyper-V. I would leave the audience to make their own decision. Here, I am sharing the configuration that I have done in my production Hyper-V environment.

Related Post  Upgrading the VM configuration version in Windows Server 2016 Hyper-V

Perform the following steps configuring an anti-virus protection and exclusions on Hyper-V Host:

Before configuring the anti-virus exceptions, we need to identify the default Virtual Hard Disks and Virtual Machines folder location paths. Note: Make use that antivirus software supports Windows Server 2012 Hyper-V.

1. Open Hyper-V Manager, select Hyper-V Host, and click on Hyper-V Settings. The Hyper-V Settings windows will open as given below.

Hyper-V Settings
Virtual Hard Disks

Virtual Machines

2.  In Hyper-V failover cluster environments, C:\ClusterStorage as shown in figure.

Cluster storage Location

3. Open System Center Endpoint Protection antivirus software on the Hyper-V Host computer, click Settings tab, select Excluded files and locations, add the followings in File locations:

Excluded files and locations

4. In Hyper-V failover cluster environments, in File locations: add C:\ClusterStorage.

Excluded files and locations with cluster

5. In the System Center Endpoint Protection dialog box, select Excluded file types and add following in File extensions:

Excluded file types

6. In the System Center Endpoint Protection dialog box, select Excluded processes under settings, add Virtual Machine Management Services (VMMS.exe) and VM worker process (VMWP.exe) in the Process names and Save changes.

Excluded processes



I hope this article will help those who decide to install antivirus solution on their Hyper-V hosts.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *