You have just deployed Hyper-V and the (in)security officer has decided that the standard edict of “all files and processes must be scanned because Windows is insecure” must be applied. Here’s my advice: Get that in writing. No, better: Get that written in their own blood, with your boss, your boss’s boss, and the (in)security officer’s boss as witnesses. Why? You’re going to have nothing but trouble, and you might even appear to lose some of your VMs after your next patch deployment cycle. In this post, I will discuss the need for antivirus on the Management OS of a Hyper-V host, and how you should configure it.
Configuring Antivirus on Hyper-V
If you apply that (in)security officer’s misguided and ill-informed (I’m struggling to be polite) instructions, then you are sure to experience one of the following errors when your hosts reboot:
- The requested operation cannot be performed on a file with a user-mapped section open. (0x800704C8)
- VMName’ Microsoft Synthetic Ethernet Port (Instance ID{7E0DA81A-A7B4-4DFD-869F-37002C36D816}): Failed to Power On with Error ‘The specified network resource or device is no longer available.’ (0x80070037).
- The I/O operation has been aborted because of either a thread exit or an application request. (0x800703E3)
Your VM will fail to start, and it might even disappear from Hyper-V Manager and every other Hyper-V management tool. The files are still there; but uncontrolled antivirus has caused problems.
Hyper-V, like most server products from Microsoft, has guidance for configuring antivirus scanning exceptions. The guidance says that you should prevent scanning of the following files and folders:
- All folders containing VHD, VHDX, AVHD, AVHDX, VSV and ISO files
- Default virtual machine configuration directory (C:\ProgramData\Microsoft\Windows\Hyper-V), if it is used
- Default snapshot (checkpoints) files directory (%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots), if it is used
- Custom virtual machine configuration directories, if applicable
- Virtual machine virtual hard disk files (C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks) directory if it is used
- Custom virtual hard disk drive directories
You should not scan the following processes:
- VMMS.EXE: The Hyper-V Virtual Machine Management Service providing a WMI interface to manage Hyper-V
- VMWP.EXE: Each running VM has a Worker Process in the Management OS
Finally, you should disable scanning of C:\ClusterStorage (Cluster Shared Volume mount points are created here) and all subdirectories.
Do You Need Antivirus?
I never install antivirus on Hyper-V hosts. The Windows Firewall is up. Only a subset of admins get to log in; not everyone needs to be a Hyper-V administrator, and SCVMM allows delegation and public/private cloud allows self-service. And only the required software (systems management agents or virtual switch extensions) is installed.
Best practice (some would argue that it is a support statement) is that you should not install any unnecessary software in the Management OS of a Hyper-V host. A Hyper-V host is a Hyper-V host, and it is nothing but a Hyper-V host. If you need software or services then install them in VMs that run on the Hyper-V host.
Do you really edit documents, read your email, or surf the web from your Hyper-V hosts? If so, you and your employer deserve everything bad that could possibly happen to you – at least, that’s my opinion on the matter.
Why do I not like AV on the hosts? AV is another variable in troubleshooting, and AV has been known to be responsible for a lot of issues; one of the big players has appeared in a lot of Microsoft KB articles over the years. And even if I do configure my exceptions, what’s to stop some security “expert” from thinking they know better and change the settings? Or (and this has happened) what if an update to the engine or definition files resets my exceptions or starts treating my VM files as malware?!
The choice is yours. Discuss the decision with your boss, document it, and if the security officer wants a “scan everything policy,” then get their witnessed signature onto some paperwork and make sure the directors know the risk. That SAN-subscribing “expert” might change their mind when their power play looks like it will backfire.