This is one of the most common discussions with Hyper-V. Lots of IT professionals struggle with the option of whether or not to install Anti-Virus (AV) on the host and the VMs.
Security is the prime concern in all scenarios, and as a Hyper-V administrator, you need to make sure that there are no compromises on your servers, either physical or virtual. This recipe will show you first how to configure the Hyper-V exceptions, when using an AV system in the parent partition, and then discuss when and where the AV is necessary, in the How it works section.
Due to the vast number of anti-virus products, this recipe will only focus on the configurations that have to be done and not how to actually do them. Make sure that you are familiar with your AV settings so that you are able to apply the same configuration demonstrated in the AV itself.
Before you begin, make sure that your AV software supports Windows Server 2016 Hyper-V.
The following steps will show you how to identify the default path used for VMs and virtual disks, and how to configure the exceptions for your AV system:
- Before creating the anti-virus exceptions, you need to identify which paths are in use by Hyper-V.
To identify the default VM and virtual hard disk configuration path, open Hyper-V Manager and click on Hyper-V Settings in the pane on the right-hand side.
The Hyper-V Settings window will open, as shown in the following screenshot:
Click on Virtual Hard Disks to identify the default folder being used for virtual hard disks.
Click on Virtual Machines to identify the default folder used to store the VM configuration files.
The exclusions are made based on the Hyper-V file locations. The default location for VM configuration files is
C:ProgramDataMicrosoftWindowsHyper-V, and for virtual hard disks, it isC:UsersPublicDocumentsHyper-VVirtual Hard Disks. Take a note of the current locations.Open your anti-virus software on the host computer, and add an exception for the following directories and files based on the current location of the files:
- Directories used for machine configuration files
- Directories used for virtual hard disk files
- Snapshot directories
Vmms.exeVmsp.exe,Vmconnect.exe,Vmcompute.exe, andVmwp.exeprocesses- Any other custom configuration directories
- CSV Directory
C:ClusterStorage(for cluster environments)
- After these steps, your anti-virus will be configured with the proper exception settings for Hyper-V.
Before we dig into the details of the previous steps, it is important to discuss the pros and cons of AV on the host computer. This discussion does not change the necessity of having AV on the VMs. Because of the Hyper-V architecture, the parent partition cannot see the read memory information being used by the VMs. Having said that, every VM needs AV, depending upon the OS, roles, access, and other components present on it.
If you follow the best practices for Hyper-V, such as running it using Nano Server or Server Core installation, no Internet access or other programs or roles installed, you probably don't need any AV installed on the host computer. These best practices already have all the security needed for the parent partition, excluding the requirement to install AV on it. However, you can still install it in case of security compliance, or for any other reason.
For servers with the full Windows version, browsing the Internet, and using other software or roles, AV must be installed with the Hyper-V exclusions configured. Do you really edit documents, read your email, or browse the Internet from your Hyper-V hosts? If so, then you are increasing the chance to get infected by a Ransomware or any other nasty viruses.
Protecting a static server environment using agents on each endpoint is relatively easy, as the environment does not change very often. Administrators will usually have access to the server to install and maintain the agents. Since these servers are usually not running at full capacity, the performance of the workload running on them is not usually impacted by resource-intensive AV scans.
Securing virtualized datacenters or clouds is different, and traditional agent-based protection is impractical. VMs are dynamic, and are often rapidly deployed and destroyed, or even copied from a library which may have outdated AV definitions, making it tough to keep security policies updated. In many cases, VMs are deployed by end-users or tenants without any administrative intervention, and to meet certain compliance standards, admins may not even be allowed to access the VMs to install agents.
Since virtualization hosts are designed to run at near full capacity for better resource utilization, when a VM uses an agent and runs an AV scan (which can cause a 30% spike in virtual CPU utilization), this can cause all the VMs on the host to slow down. In a virtualized datacenter, use a host-based security solution that does not require agents to be installed inside the VMs, such as 5nine Cloud Security.
5nine Cloud Security from 5nine Software provides the only agentless antivirus, firewall, and intrusion detection solution for Hyper-V with protection from Bitdefender, Kaspersky Labs, or ThreatTrack. This security software filters traffic going into and out of the VMs through an extension of the Hyper-V virtual switch, which provides protection at the host level, before the threat even reaches the VM. This means security is centrally managed and the VM user never has to worry about updating or scanning the guest OS, regardless of whether it is running Nano Server, Windows Server, Windows, or Linux.
Get more information about 5nine Cloud Security at http://www.5nine.com/5nine-security-for-hyper-v-product.aspx.