Malware Configurations
I briefly touched on antivirus recommendations in previous chapters, and there are
two main schools of thought. One is that the Hyper-V server is running in Server Core
configuration level, so it has no web browser, has limited vulnerabilities and a limited
attack surface, is patched regularly, is never locally connected to because all
management is remote, has a firewall enabled, and really does nothing but manage
virtual machines. The chance of the server being infected is slight, so many people will
say just don’t run malware protection. Additionally, it’s possible that malware
protection could introduce problems because it runs at a very low level within the
operating system. The Microsoft best practice is to run no additional applications on
the Hyper-V host, and strictly speaking, this would include malware protection.
I personally lean a little more toward defense in depth. I prefer to have many layers of
protection, which means malware support on the host. However, it’s critical that any
malware solution does not interfere with the Hyper-V processes or the resources of
virtual machines. At the time of this writing, this means that exceptions should be
configured in the malware solution not to scan the following:
Default virtual machine configuration directory
(C:\ProgramData\Microsoft\Windows\Hyper-V)
Custom virtual machine configuration directories
Default virtual hard disk drive directory (C:\Users\Public\Documents\Hyper-
V\Virtual Hard Disks)
Custom virtual hard disk drive directories
Custom replication data directories, if you are using Hyper-V Replica
Checkpoint directories
vmms.exe (Note that this file may have to be configured as a process exclusion
within the antivirus software.)
vmwp.exe (Note that this file may have to be configured as a process exclusion
within the antivirus software.)Failure to properly exclude Hyper-V resources will result in problems with virtual
machines starting and functioning correctly, as documented at
[http://support.microsoft.com/kb/961804/en-us. There is a great malware exception](http://support.microsoft.com/kb/961804/en-us. There is a great malware exception)
article for more Microsoft solutions at:
[http://social.technet.microsoft.com/wiki/contents/articles/953 .microsoft-anti-virus-](http://social.technet.microsoft.com/wiki/contents/articles/953 .microsoft-anti-virus-)
exclusion-list.aspx
While the risk of infection is low, if an infection did hit your Hyper-V server, the
impact would be large. There may also be audit problems for hosts with no malware
protection. It’s really an environmental choice to be made after weighing the pros and