Antivirus on a Hyper-V Host: Do You Need It?

You have just deployed Hyper-V and the (in)security officer has decided that the standard edict of “all files and processes must be scanned because Windows is insecure” must be applied. Here’s my advice: Get that in writing. No, better: Get that written in their own blood, with your boss, your boss’s boss, and the (in)security officer’s boss as witnesses. Why? You’re going to have nothing but trouble, and you might even appear to lose some of your VMs after your next patch deployment cycle. In this post, I will discuss the need for antivirus on the Management OS of a Hyper-V host, and how you should configure it.

Configuring Antivirus on Hyper-V

If you apply that (in)security officer’s misguided and ill-informed (I’m struggling to be polite) instructions, then you are sure to experience one of the following errors when your hosts reboot:

  • The requested operation cannot be performed on a file with a user-mapped section open. (0x800704C8)
  • VMName’ Microsoft Synthetic Ethernet Port (Instance ID{7E0DA81A-A7B4-4DFD-869F-37002C36D816}): Failed to Power On with Error ‘The specified network resource or device is no longer available.’ (0x80070037).
  • The I/O operation has been aborted because of either a thread exit or an application request. (0x800703E3)

Your VM will fail to start, and it might even disappear from Hyper-V Manager and every other Hyper-V management tool. The files are still there; but uncontrolled antivirus has caused problems.

computer virus funny
We kid, we kid. Kinda. Sometimes.


Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Hyper-V, like most server products from Microsoft, has guidance for configuring antivirus scanning exceptions. The guidance says that you should prevent scanning of the following files and folders:

  • All folders containing VHD, VHDX, AVHD, AVHDX, VSV and ISO files
  • Default virtual machine configuration directory (C:\ProgramData\Microsoft\Windows\Hyper-V), if it is used
  • Default snapshot (checkpoints) files directory (%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots), if it is used 
  • Custom virtual machine configuration directories, if applicable
  • Virtual machine virtual hard disk files (C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks) directory if it is used
  • Custom virtual hard disk drive directories

You should not scan the following processes:

  • VMMS.EXE: The Hyper-V Virtual Machine Management Service providing a WMI interface to manage Hyper-V
  • VMWP.EXE: Each running VM has a Worker Process in the Management OS

Finally, you should disable scanning of C:\ClusterStorage (Cluster Shared Volume mount points are created here) and all subdirectories.

Do You Need Antivirus?

I never install antivirus on Hyper-V hosts. The Windows Firewall is up. Only a subset of admins get to log in; not everyone needs to be a Hyper-V administrator, and SCVMM allows delegation and public/private cloud allows self-service. And only the required software (systems management agents or virtual switch extensions) is installed.

Best practice (some would argue that it is a support statement) is that you should not install any unnecessary software in the Management OS of a Hyper-V host. A Hyper-V host is a Hyper-V host, and it is nothing but a Hyper-V host. If you need software or services then install them in VMs that run on the Hyper-V host.

Do you really edit documents, read your email, or surf the web from your Hyper-V hosts? If so, you and your employer deserve everything bad that could possibly happen to you – at least, that’s my opinion on the matter.

Why do I not like AV on the hosts? AV is another variable in troubleshooting, and AV has been known to be responsible for a lot of issues; one of the big players has appeared in a lot of Microsoft KB articles over the years. And even if I do configure my exceptions, what’s to stop some security “expert” from thinking they know better and change the settings? Or (and this has happened) what if an update to the engine or definition files resets my exceptions or starts treating my VM files as malware?!

The choice is yours. Discuss the decision with your boss, document it, and if the security officer wants a “scan everything policy,” then get their witnessed signature onto some paperwork and make sure the directors know the risk. That SAN-subscribing “expert” might change their mind when their power play looks like it will backfire.

Related Topics:

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: