In an IT landscape where antivirus is usually a security compliance requirement on Windows Servers and client endpoints, should you also be installing antivirus software on your Hyper-V host servers? In this article, I’ll discuss the problems, your options, and some best practices that will, I hope, save you some headaches.

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

The debate about antivirus software on servers has been going on for far longer than I can remember. It still isn’t hard to find software vendors who make no attempt to get their software to work properly with antivirus in place. The recommendation for the server running their software is, “Just run your server without antivirus so our software doesn’t break.” Sounds logical, right? No antivirus = their software works properly. As long as you’re careful about who has access to the system and what gets installed, your server should be safe—in theory. So, does the same hold true for a Hyper-V host server?

Antivirus software on Hyper-V

Antivirus software on Hyper-V?

Before we get started, let me first say that deploying antivirus software (regardless of whether you’re using it or not) on Hyper-V hosts requires thorough planning. If you’ve just thrown antivirus on your Hyper-V servers, or if your security people are mandating that you need to for se­curity purposes or to maintain compliance, keep reading.

The case against antivirus ^

If you’ve spent any time in IT at all, you know that running antivirus software on any system causes a performance hit on the system. In a Hyper-V environment where you want to squeeze every bit of spare performance out of a server, running antivirus software takes resources away from the host server, which eats up RAM, CPU cycles, and storage IOPS from the virtual machines (VMs). Depending on your antivirus vendor, your mileage may vary widely; some antivirus products have lower overhead than others.

If your organization has a security group that controls antivirus, you might face that admins outside of your department might demand access to the Hyper-V host. If problems come up, it could then be unclear who was responsible.

It’s very possible that, by mistake (or on purpose), the antivirus software could be misconfigured, causing damage to hosted VMs. (Ironically, it could end up killing the antivirus management server that is running on one of the Hyper-V hosts.)

A misconfigured antivirus product can cause virtual machines to disappear from the Hyper-V Manager and System Center Virtual Machine Manager. Here are some typical error messages that will cause VMs to stop or be unable to start due to damage caused by the on-access scanner built into the antivirus software:

0x800704C8 (The requested operation cannot be performed on a file with a user-mapped section open.)

0x80070037 [VMName Microsoft Synthetic Ethernet Port (Instance ID{7E0DA81A-A7B4-4DFD-869F-37002C36D816}): Failed to Power On with Error 'The specified network resource or device is no longer available.']

0x800703E3 (The I/O operation has been aborted because of either a thread exit or an application request.)

The case for antivirus ^

I’ve been running System Center Endpoint Protection on Hyper-V servers for quite some time. On a pretty hefty test/dev server that can run anywhere from 10 to 75 VMs on a given day, the CPU and RAM usage of the antivirus software is negligible. If you’re licensed for System Center for your servers, you’ve most likely got Endpoint Protection as part of what you’re already licensing from Microsoft. If your current antivirus software doesn’t perform well on a Hyper-V host, SCEP could be an option.

In a perfect world, every Windows Server (that isn’t an RDS application server) would run Server Core, every systems administrator would refrain from installing unnecessary software, and change controls would always be followed. We all know that isn’t the case.

It’s really easy to say that a sysadmin who is installing something he/she shouldn’t is an HR problem until that accidental malware install causes unplanned downtime. And, even if you remove the GUI and go to Server Core, getting the GUI back is just a reboot away.

If your Hyper-V host’s management network is completely segregated, and the server is fully patched and is running a properly configured firewall, there will still be new security flaws, zero-day exploits, and other attack vectors that can be used to compromise the Hyper-V server. Running antivirus software on the server gives you an additional layer of protection when definitions are released that can mitigate some of those attacks. No antivirus, no additional layer of protection.

Best practices ^

First, you have to determine who is in control of the Hyper-V host. In my view, the Hyper-V host’s management NIC should be put on a dedicated VLAN that nobody except Hyper-V administrators can access. In addition, only the Hyper-V and domain administrators would have the rights to log in and administer the server. This requires that the Hyper-V admins install the antivirus agent; however, the security group will still be able to manage AV updates and monitor the server.

Another crucial point is that you’re running Hyper-V on Server Core without a GUI. This significantly reduces the host’s attack surface and minimizes downtimes because of scheduled reboots.

If you’re going to install antivirus software on your Hyper-V hosts, make sure you use the recommended exclusions:

  • Vmms.exe – executable file (Virtual Machine Management Service)
  • Vmwp.exe – executable file (Virtual Machine Worker Process)
  • C:\ProgramData\Microsoft\Windows\Hyper-V\ - Default virtual machine configuration folder
  • C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks\ - Default virtual hard disk drive folder
  • Additional virtual machine configuration folders
  • Additional virtual hard disk folders containing VHD, AVHD, VHDX, AVHDX, VSV, BIN, and ISO files
  • Snapshot folders
  • Hyper-V Replica replication data directories
  • C:\ClusterStorage\ - Cluster Shared Volumes (CSV) if you’re using a SAN with Failover Clustering

When you move to new versions of the antivirus product (even if they are in the same major version), test the upgrade process first. Most of my personal experience is with McAfee VirusScan and System Center Endpoint Protection. McAfee has, in the past, made significant changes even in dot releases of their product. It wouldn’t surprise me if other vendors did the same.

Conclusion ^

Whether you run antivirus software on your Hyper-V host server or not, you should make an informed choice weighing all the pros and cons before you start deploying the software. Make sure to involve everyone who is affected by the decisions and take into consideration their various concerns.

Do you run antivirus software on your Hyper-V host servers? What are your experiences?

Win the monthly 4sysops member prize for IT pros

Share
0

Related Posts

1 Comment
  1. TimC 3 years ago

    I started using Webroot a few months ago and really like it. Before that I had been using Vipre but occasionally it would fail during the night and the servers would be hung in the morning.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account