Running a solid, constantly updated antivirus product on your Hyper-V hosts is a necessity to keep a healthy and secure virtual environment. By using Windows Defender Antivirus, the built-in anti-malware solution in Windows Server 2016 or 2019, you will be provided with next-gen cloud-delivered protection, which includes near-instant detection, always-on scanning and dedicated protection updates.
However, when using any antivirus software on a Hyper-V host, you also risk having issues when it is not configured properly and especially when real-time scanning (or monitoring) is enabled. This can negatively affect the overall host performance and even cause corruption of your virtual machines (VMs) or Hyper-V files.
To avoid these file conflicts and to minimize performance degradations you should implement the following recommend antivirus exclusions (directories, files and processes) on all your Hyper-V hosts, which can be found over here.
Luckily Windows Defender Antivirus automatically enrolls certain exclusions (automatic exclusions), defined by your specific server role. To determine which roles are installed on the server, Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools. You should be aware that these automatic exclusions will not appear in the standard exclusion list shown in the Windows Security app.
Below you can find a list of the automatic exclusions for the Hyper-V role:
File type exclusions:
- %Public%\Documents\Hyper-V\Virtual Hard Disks
Hyper-V Failover Cluster folder exclusions:
Although the automatic exclusions include almost all recommended Hyper-V antivirus exclusions you still may need to configure additional custom exclusions. These custom exclusions will take precedence over the automatic exclusions but will not conflict if a duplicate exists.
If you prefer to disable automatic exclusions you can run the following PowerShell cmdlet:
## Disable Windows Defender Antivirus auto-exclusions list Set-MpPreference -DisableAutoExclusions $true
Below you can find an additional short list of custom exclusions for a server running the Hyper-V role which you can implement if applicable to your environment. There can be even more exclusions for your specific environment.
- Any custom virtual machine configuration or hard disk drive directories (for example E:\VMs).
- Any custom replication data directories, if you’re using Hyper-V Replica.
- The vmsp.exe process (%systemroot%\System32\Vmsp.exe).
- The vmcompute.exe process (%systemroot%\System32\Vmcompute.exe).
To add these exclusions for Windows Defender Antivirus in the Windows Security app you need to open the Windows Security app by clicking the magnifier in the task bar and by typing defender. Select Virus & threat protection.
Under the Virus & threat protection settings title select Manage settings.
On the Virus & threat protection settings page scroll down to Exclusions setting and click on Add or remove exclusions.
Click Add an exclusion. Click the + icon to choose the type and set the options for each exclusion. When adding an exclusion click Yes if the User Account Control box pops up.
When all custom exclusions are added the screen will look like this.
To remove an added exclusion, press the down arrow next to the exclusion and click Remove.
You can also add these custom exclusions with the use of PowerShell (as administrator). To do so you need to run the below commands.
## Add custom Hyper-V exclusions Add-MpPreference -ExclusionPath "E:\VMs" Add-MpPreference -ExclusionProcess "Vmsp.exe" Add-MpPreference -ExclusionProcess "Vmcompute.exe" Write-Host ("`n" + "# Custom Hyper-V exclusions added")` -foregroundcolor "Yellow" "`n"
Hope this helps securing your Hyper-V hosts.