Hyper-V Antivirus Exclusions

Every Windows Server (Virtualized or not) needs to be protected by an Antivirus program.

It’s also important to protect the Hyper-V servers where the virtualized workloads are placed.

Before activate the Hyper-V role, I suggest to install an Antivirus program on each Server that will become part of the virtualization host environment.

Hyper-V Antivirus Exclusions

Anti-virus software should exclude Hyper-V specific files using the Hyper-V: Antivirus Exclusions for Hyper-V Hosts article, namely:

  • All folders containing VHD, VHDX, AVHD, VSV and ISO files
  • Default virtual machine configuration directory, if used (C:\ProgramData\Microsoft\Windows\Hyper-V)
  • Default snapshot files directory, if used (%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots)
  • Custom virtual machine configuration directories, if applicable
  • Default virtual hard disk drive directory
  • Custom virtual hard disk drive directories
  • Snapshot directories
  • Vmms.exe (Note: May need to be configured as process exclusions within the antivirus software)
  • Vmwp.exe (Note: May need to be configured as process exclusions within the antivirus software)

Additionally, when you use Cluster Shared Volumes, exclude the CSV path “C:\ClusterStorage” and all its subdirectories.

For more information: http://social.technet.microsoft.com/wiki/contents/articles/2179.hyper-v-anti-virus-exclusions-for-hyper-v-hosts.aspx.

NOTES:

  • In the virtual machines no Hyper-V specific exclusions are needed. Add only the exclusions related to the installed services (SQL, IIS, …)
  • As far as I know, today is not possible to protect Hyper-V workloads using a technology similar to VMware vShield Endpoint so every Virtual Machine needs to take care of its own scanning activity. http://www.vmware.com/products/vsphere/features/endpoint.html. You must consider this as you plan antivirus policies. You must avoid every virtual machine to start scanning activity at the same time (you will prevent bad performance issues).
Advertisements

One thought on “Hyper-V Antivirus Exclusions

  1. Pingback: How to know if a Hardware is ready for Windows 2012 R2 | Marco Moioli's Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s