Note: this material is excerpted from: Planning for Hyper-V Security at http://technet.microsoft.com/en-us/library/dd283088(WS.10).aspx As a best practice, you should NOT run any applications in the management operating system (also called a host or sometimes the Hyper-V server)—run all applications on virtual machines. By keeping the management operating system free of applications and running a Windows Server 2008 core installation, you will need fewer updates to the management operating system because nothing requires software updates except the Server Core installation, the Hyper-V service components, and the hypervisor. If you choose to run programs in the management operating system, you should also run your antivirus solution there and add the following to the antivirus exclusions to avoid negative performance impacts to all Virtual Machines running on that host:
All folders containing VHD, VHDX, AVHD, VSV and ISO files
Default virtual machine configuration directory, if used (C:\ProgramData\Microsoft\Windows\Hyper-V)
Default snapshot files directory, if used (%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots)
Custom virtual machine configuration directories, if applicable
Virtual machine virtual hard disk files directory. By default, it is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks.
Custom virtual hard disk drive directories
Snapshot files directory. By default, it is %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots.
Vmms.exe (Note: May need to be configured as process exclusions within the antivirus software)
Vmwp.exe (Note: May need to be configured as process exclusions within the antivirus software)
Additionally, when you use Cluster Shared Volumes, exclude the CSV path "C:\ClusterStorage" and all its subdirectories.
For the workload-specific AV exclusions to run in each virtual machine, see Windows Anti-Virus Exclusion List. If your VMs are not starting, see KB 961804 Virtual machines are missing in the Hyper-V Manager Console or when you create or start a virtual machine, you receive one of the following error codes: "0x800704C8", "0x80070037" or "0x800703E3
Thiago Cardoso Luiz edited Revision 11. Comment: add information by askpfelatam
tonysoper_MSFT edited Revision 1. Comment: +kb
Ed Price - MSFT edited Revision 3. Comment: Extra space before "For the..."
Ed Price - MSFT edited Revision 4. Comment: URL to embedded link
Ben Armstrong [MSFT] edited Revision 5. Comment: Fixed spelling mistake in title
Using the guidance above was a good start to find a working exclusion policy for Hyper-V on Server 2012, but a few additions for our specific environment..
*.AVHDX files
\Device\CSV* + subdirectories (CSVVolumeX folders would be created by Hyper-V, with X incrementing each time)
C:\ProgramData\Microsoft\Windows\Hyper-V\ - all subdirectories, not just the ones listed above.
These additions along with the directories and 2 processes above were added to a McAfee low-risk process policy, and now we have no issues creating snapshots or new VM's.
To track down problems in your environment, I suggest running up a procmon session and watching the mcshield.exe process; it will help clue you in. When the exclusions are not right, we saw McAfee go haywire - tens of thousands of reads every few seconds and higher CPU utilization, until the McShield service was restarted. When the exclusions are right, you will see a tiny bit of chatter in procmon, but nothing crazy.
The hard part in building the exclusion policy was that procmon would show access via hardware device (example \\wwn\guid\something) - finding commonalities to exclude in a policy was the key.
Are the exclusions for 'real-time' (on-access) scanning or the 'full scans' (on-demand scans) or both?