Running a solid, constantly updated antivirus product on your Hyper-V hosts is a necessity to keep a healthy and secure virtual environment. By using Windows Defender Antivirus, the built-in anti-malware solution in Windows Server 2016, 2019and 2022, you will be provided with next-gen cloud-delivered protection, which includes near-instant detection, always-on scanning and dedicated protection updates.
However, when using any antivirus software on a Hyper-V host, you also risk having issues when it is not configured properly and especially when real-time scanning (or monitoring) is enabled. This can negatively affect the overall host performance and even cause corruption of your virtual machines (VMs) or Hyper-V files.
To avoid these file conflicts and to minimize performance degradations you should implement the following recommend antivirus exclusions (directories, files and processes) on all your Hyper-V hosts, which can be found over here.
Luckily Windows Defender Antivirus automatically enrolls certain exclusions (automatic exclusions), defined by your specific server role. To determine which roles are installed on the server, Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools. You should be aware that these automatic exclusions will not appear in the standard exclusion list shown in the Windows Security app.
Below you can find a list of the automatic exclusions for the Hyper-V role:
Although the automatic exclusions include almost all recommended Hyper-V antivirus exclusions you still may need to configure additional custom exclusions. These custom exclusions will take precedence over the automatic exclusions but will not conflict if a duplicate exists.
If you prefer to disable automatic exclusions you can run the following PowerShell cmdlet:
## Disable Windows Defender Antivirus auto-exclusions list
Set-MpPreference -DisableAutoExclusions $true
Below you can find an additional short list of custom exclusions for a server running the Hyper-V role which you can implement if applicable to your environment. There can be even more exclusions for your specific environment.
Any custom virtual machine configuration or hard disk drive directories (for example E:\VMs).
Any custom replication data directories, if you’re using Hyper-V Replica.
The vmsp.exe process (%systemroot%\System32\Vmsp.exe).
The vmcompute.exe process (%systemroot%\System32\Vmcompute.exe).
To add these exclusions for Windows Defender Antivirus in the Windows Security app you need to open the Windows Security app by clicking the magnifier in the task bar and by typing defender. Select Virus & threat protection.
Under the Virus & threat protection settings title select Manage settings.
On the Virus & threat protection settings page scroll down to Exclusions setting and click on Add or remove exclusions.
Click Add an exclusion. Click the + icon to choose the type and set the options for each exclusion. When adding an exclusion click Yes if the User Account Control box pops up.
When all custom exclusions are added the screen will look like this.
To remove an added exclusion, press the down arrow next to the exclusion and click Remove.
PowerShell script
You can also add these custom exclusions with the use the below PowerShell Script. To use the script copy and save it as Add-Hyper-V-Antivirus-exclusions-WS2016-WS2019-WS2022.ps1 or download it from GitHub. First adjust all variables to your use and afterwards run the script with Administrator privileges from Windows Terminal, Windows PowerShell, or Visual Studio Code.
<#
.SYNOPSIS
A script to add Hyper-V antivirus exclusions.
.DESCRIPTION
A script to add Hyper-V antivirus exclusions. This script can be used for Windows Server 2016, 2019 and 2022
.NOTES
File Name: Add-Hyper-V-Antivirus-exclusions-WS2016-WS2019-WS2022.ps1
Created: 22/09/2018
Last modified: 20/09/2021
Author: Wim Matthyssen
PowerShell: 5.1 or above
Requires: -RunAsAdministrator
OS: Windows Server 2016, Windows Server 2019 and Windows Server 2022
Version: 2.0
Action: Change variables were needed to fit your needs
Disclaimer: This script is provided "As Is" with no warranties.
.EXAMPLE
.\Add-Hyper-V-Antivirus-exclusions-WS2016-WS2019-WS2022.ps1
.LINK
https://tinyurl.com/y2cnhko3
#>
## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## Variables
$vmFolder = #"<your folder where your VMs are stored here>" The folder where your VMs are stored. Example: "E:\VMs"
$vsmpProcess = "Vmsp.exe"
$vmcomputeProcess = "Vmcompute.exe"
$global:currenttime= Set-PSBreakpoint -Variable currenttime -Mode Read -Action {$global:currenttime= Get-Date -UFormat "%A %m/%d/%Y %R"}
$foregroundColor1 = "Yellow"
$writeEmptyLine = "`n"
$writeSeperatorSpaces = " - "
## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## Add custom Hyper-V exclusions
Add-MpPreference -ExclusionPath $vmFolder
Add-MpPreference -ExclusionProcess $vsmpProcess
Add-MpPreference -ExclusionProcess $vmcomputeProcess
Write-Host ($writeEmptyLine + "# Custom Hyper-V exclusions added" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine
## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Wim Matthyssen 
Running a solid, constantly updated antivirus product on your Hyper-V hosts is a necessity to keep a healthy and secure virtual environment. By using Windows Defender Antivirus, the built-in anti-malware solution in Windows Server 2016, 2019 and 2022, you will be provided with next-gen cloud-delivered protection, which includes near-instant detection, always-on scanning and dedicated protection updates.
However, when using any antivirus software on a Hyper-V host, you also risk having issues when it is not configured properly and especially when real-time scanning (or monitoring) is enabled. This can negatively affect the overall host performance and even cause corruption of your virtual machines (VMs) or Hyper-V files.
To avoid these file conflicts and to minimize performance degradations you should implement the following recommend antivirus exclusions (directories, files and processes) on all your Hyper-V hosts, which can be found over here.
Luckily Windows Defender Antivirus automatically enrolls certain exclusions (automatic exclusions), defined by your specific server role. To determine which roles are installed on the server, Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools. You should be aware that these automatic exclusions will not appear in the standard exclusion list shown in the Windows Security app.
Below you can find a list of the automatic exclusions for the Hyper-V role:
File type exclusions:
Folder exclusions:
Process exclusions:
Hyper-V Failover Cluster folder exclusions:
Although the automatic exclusions include almost all recommended Hyper-V antivirus exclusions you still may need to configure additional custom exclusions. These custom exclusions will take precedence over the automatic exclusions but will not conflict if a duplicate exists.
If you prefer to disable automatic exclusions you can run the following PowerShell cmdlet:
Below you can find an additional short list of custom exclusions for a server running the Hyper-V role which you can implement if applicable to your environment. There can be even more exclusions for your specific environment.
To add these exclusions for Windows Defender Antivirus in the Windows Security app you need to open the Windows Security app by clicking the magnifier in the task bar and by typing defender. Select Virus & threat protection.
Under the Virus & threat protection settings title select Manage settings.
On the Virus & threat protection settings page scroll down to Exclusions setting and click on Add or remove exclusions.
Click Add an exclusion. Click the + icon to choose the type and set the options for each exclusion. When adding an exclusion click Yes if the User Account Control box pops up.
When all custom exclusions are added the screen will look like this.
To remove an added exclusion, press the down arrow next to the exclusion and click Remove.
PowerShell script
You can also add these custom exclusions with the use the below PowerShell Script. To use the script copy and save it as Add-Hyper-V-Antivirus-exclusions-WS2016-WS2019-WS2022.ps1 or download it from GitHub. First adjust all variables to your use and afterwards run the script with Administrator privileges from Windows Terminal, Windows PowerShell, or Visual Studio Code.
<# .SYNOPSIS A script to add Hyper-V antivirus exclusions. .DESCRIPTION A script to add Hyper-V antivirus exclusions. This script can be used for Windows Server 2016, 2019 and 2022 .NOTES File Name: Add-Hyper-V-Antivirus-exclusions-WS2016-WS2019-WS2022.ps1 Created: 22/09/2018 Last modified: 20/09/2021 Author: Wim Matthyssen PowerShell: 5.1 or above Requires: -RunAsAdministrator OS: Windows Server 2016, Windows Server 2019 and Windows Server 2022 Version: 2.0 Action: Change variables were needed to fit your needs Disclaimer: This script is provided "As Is" with no warranties. .EXAMPLE .\Add-Hyper-V-Antivirus-exclusions-WS2016-WS2019-WS2022.ps1 .LINK https://tinyurl.com/y2cnhko3 #> ## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ## Variables $vmFolder = #"<your folder where your VMs are stored here>" The folder where your VMs are stored. Example: "E:\VMs" $vsmpProcess = "Vmsp.exe" $vmcomputeProcess = "Vmcompute.exe" $global:currenttime= Set-PSBreakpoint -Variable currenttime -Mode Read -Action {$global:currenttime= Get-Date -UFormat "%A %m/%d/%Y %R"} $foregroundColor1 = "Yellow" $writeEmptyLine = "`n" $writeSeperatorSpaces = " - " ## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ## Add custom Hyper-V exclusions Add-MpPreference -ExclusionPath $vmFolder Add-MpPreference -ExclusionProcess $vsmpProcess Add-MpPreference -ExclusionProcess $vmcomputeProcess Write-Host ($writeEmptyLine + "# Custom Hyper-V exclusions added" + $writeSeperatorSpaces + $currentTime)` -foregroundcolor $foregroundColor1 $writeEmptyLine ## ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Hope this helps securing your Hyper-V hosts.
Share this:
Like this: