Every Windows Server (Virtualized or not) needs to be protected by an Antivirus program.
It’s also important to protect the Hyper-V servers where the virtualized workloads are placed.
Before activate the Hyper-V role, I suggest to install an Antivirus program on each Server that will become part of the virtualization host environment.
Anti-virus software should exclude Hyper-V specific files using the Hyper-V: Antivirus Exclusions for Hyper-V Hosts article, namely:
- All folders containing VHD, VHDX, AVHD, VSV and ISO files
- Default virtual machine configuration directory, if used (C:\ProgramData\Microsoft\Windows\Hyper-V)
- Default snapshot files directory, if used (%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots)
- Custom virtual machine configuration directories, if applicable
- Default virtual hard disk drive directory
- Custom virtual hard disk drive directories
- Snapshot directories
- Vmms.exe (Note: May need to be configured as process exclusions within the antivirus software)
- Vmwp.exe (Note: May need to be configured as process exclusions within the antivirus software)
Additionally, when you use Cluster Shared Volumes, exclude the CSV path “C:\ClusterStorage” and all its subdirectories.
- In the virtual machines no Hyper-V specific exclusions are needed. Add only the exclusions related to the installed services (SQL, IIS, …)
- As far as I know, today is not possible to protect Hyper-V workloads using a technology similar to VMware vShield Endpoint so every Virtual Machine needs to take care of its own scanning activity. http://www.vmware.com/products/vsphere/features/endpoint.html. You must consider this as you plan antivirus policies. You must avoid every virtual machine to start scanning activity at the same time (you will prevent bad performance issues).