Hyper-V: Anti-Virus Exclusions for Hyper-V Hosts

Hyper-V: Anti-Virus Exclusions for Hyper-V Hosts

Note: this material is excerpted from:  Planning for Hyper-V Security at http://technet.microsoft.com/en-us/library/dd283088(WS.10).aspx



As a best practice, you should NOT run any applications in the management operating system (also called a host or sometimes the Hyper-V server)—run all applications on virtual machines. By keeping the management operating system free of applications and running a Windows Server 2008 core installation, you will need fewer updates to the management operating system because nothing requires software updates except the Server Core installation, the Hyper-V service components, and the hypervisor.



If you choose to run programs in the management operating system, you should also run your antivirus solution there and add the following to the antivirus exclusions to avoid negative performance impacts to all Virtual Machines running on that host:

  • All folders containing VHD, VHDX, AVHD, VSV and ISO files

  • Default virtual machine configuration directory, if used (C:\ProgramData\Microsoft\Windows\Hyper-V)

  • Default snapshot files directory, if used (%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots)

  • Custom virtual machine configuration directories, if applicable

  • Virtual machine virtual hard disk files directory. By default, it is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks. 

  • Custom virtual hard disk drive directories

  • Snapshot files directory. By default, it is %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots. 

  • Vmms.exe (Note: May need to be configured as process exclusions within the antivirus software)

  • Vmwp.exe (Note: May need to be configured as process exclusions within the antivirus software)

  • Additionally, when you use Cluster Shared Volumes, exclude the CSV path "C:\ClusterStorage" and all its subdirectories.

 

For the workload-specific AV exclusions to run in each virtual machine, see Windows Anti-Virus Exclusion List.

 


If your VMs are not starting, see KB 961804 Virtual machines are missing in the Hyper-V Manager Console or when you create or start a virtual machine, you receive one of the following error codes: "0x800704C8", "0x80070037" or "0x800703E3

Leave a Comment
  • Please add 6 and 3 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Thiago Cardoso Luiz edited Revision 11. Comment: add information by askpfelatam

  • Ben Armstrong [MSFT] edited Revision 5. Comment: Fixed spelling mistake in title

  • Ed Price - MSFT edited Revision 4. Comment: URL to embedded link

  • Ed Price - MSFT edited Revision 3. Comment: Extra space before "For the..."

  • tonysoper_MSFT edited Revision 1. Comment: +kb

Page 1 of 1 (5 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • tonysoper_MSFT edited Revision 1. Comment: +kb

  • Ed Price - MSFT edited Revision 3. Comment: Extra space before "For the..."

  • Ed Price - MSFT edited Revision 4. Comment: URL to embedded link

  • Ben Armstrong [MSFT] edited Revision 5. Comment: Fixed spelling mistake in title

  • Are the exclusions for 'real-time' (on-access) scanning or the 'full scans' (on-demand scans) or both?

  • Thiago Cardoso Luiz edited Revision 11. Comment: add information by askpfelatam

  • Using the guidance above was a good start to find a working exclusion policy for Hyper-V on Server 2012, but a few additions for our specific environment..

    *.AVHDX files

    \Device\CSV* + subdirectories (CSVVolumeX folders would be created by Hyper-V, with X incrementing each time)

    C:\ProgramData\Microsoft\Windows\Hyper-V\  - all subdirectories, not just the ones listed above.  

    These additions along with the directories and 2 processes above were added to a McAfee low-risk process policy, and now we have no issues creating snapshots or new VM's.

    To track down problems in your environment, I suggest running up a procmon session and watching the mcshield.exe process; it will help clue you in. When the exclusions are not right, we saw McAfee go haywire - tens of thousands of reads every few seconds and higher CPU utilization, until the McShield service was restarted.  When the exclusions are right, you will see a tiny bit of chatter in procmon, but nothing crazy.

    The hard part in building the exclusion policy was that procmon would show access via hardware device (example \\wwn\guid\something) - finding commonalities to exclude in a policy was the key.

Page 1 of 1 (7 items)