You have just deployed Hyper-V and the (in)security officer has decided that the standard edict of “all files and processes must be scanned because Windows is insecure” must be applied. Here’s my advice: Get that in writing. No, better: Get that written in their own blood, with your boss, your boss’s boss, and the (in)security officer’s boss as witnesses. Why? You’re going to have nothing but trouble, and you might even appear to lose some of your VMs after your next patch deployment cycle. In this post, I will discuss the need for antivirus on the Management OS of a Hyper-V host, and how you should configure it.
If you apply that (in)security officer’s misguided and ill-informed (I’m struggling to be polite) instructions, then you are sure to experience one of the following errors when your hosts reboot:
Your VM will fail to start, and it might even disappear from Hyper-V Manager and every other Hyper-V management tool. The files are still there; but uncontrolled antivirus has caused problems.
Hyper-V, like most server products from Microsoft, has guidance for configuring antivirus scanning exceptions. The guidance says that you should prevent scanning of the following files and folders:
You should not scan the following processes:
Finally, you should disable scanning of C:ClusterStorage (Cluster Shared Volume mount points are created here) and all subdirectories.
I never install antivirus on Hyper-V hosts. The Windows Firewall is up. Only a subset of admins get to log in; not everyone needs to be a Hyper-V administrator, and SCVMM allows delegation and public/private cloud allows self-service. And only the required software (systems management agents or virtual switch extensions) is installed.
Best practice (some would argue that it is a support statement) is that you should not install any unnecessary software in the Management OS of a Hyper-V host. A Hyper-V host is a Hyper-V host, and it is nothing but a Hyper-V host. If you need software or services then install them in VMs that run on the Hyper-V host.
Do you really edit documents, read your email, or surf the web from your Hyper-V hosts? If so, you and your employer deserve everything bad that could possibly happen to you – at least, that’s my opinion on the matter.
Why do I not like AV on the hosts? AV is another variable in troubleshooting, and AV has been known to be responsible for a lot of issues; one of the big players has appeared in a lot of Microsoft KB articles over the years. And even if I do configure my exceptions, what’s to stop some security “expert” from thinking they know better and change the settings? Or (and this has happened) what if an update to the engine or definition files resets my exceptions or starts treating my VM files as malware?!
The choice is yours. Discuss the decision with your boss, document it, and if the security officer wants a “scan everything policy,” then get their witnessed signature onto some paperwork and make sure the directors know the risk. That SAN-subscribing “expert” might change their mind when their power play looks like it will backfire.