Anti-Virus and Hyper-V, Yes or No?

  • Article

The parent operating system in Hyper-V is windows server and it’s a relatively simple matter to install your standard anti-malware tools on it, but is this a good idea? You can in fact install all sorts of applications and roles in the parent/physical operating system, and the guidance from Microsoft for production environments is not to. However this article doesn’t advise for or against installing anti-virus it just tells you what to do if you decide to implement it. 

In this post I wanted to give you my thoughts on it so you can make an informed decision

The case for not installing anti-Virus

Anti-Virus is one part of a suite of processes and technology to ensure your applications aren’t corrupted or prevented from working.  Assuming this is a high priority, you’ll want to also consider the following:

  • Ensure your hyper-V servers are constantly kept up to date with the latest patches.  clustering a and live migration mean that your guest virtual machines should never have to be off line while this is done.
  • User Hyper-V server or a server core installation for Hyper-V.  This has a much smaller attack surface, e.g. there is no browser or graphical interface, and cuts patching in half.
  • As mentioned above don’t run anything else at all in the parent operating system, not even additional server roles and features.

Having done all of that what exactly is the anti virus going to check for?  It can’t protect against zero day attacks, and it can’t be set to monitor the virtual machines files (VHDs etc.) and services associated with hyper-V as this will cause it to fail. Note you will certainly have anti-virus agents running in the guest virtual machines to protect them.

 

The case for installing anti virus

You have done a detailed risk assessment and have established that in your own environment there is a need for anti-virus alongside hyper-V.

The most common argument in favour I hear is that it is company policy, and even though that was not made with Hyper-V in mind you may have no alternative but to do so.

Summary

What I would not recommend, is doing this or not doing this just because you read it on a random post, or picked it up as hearsay – make in informed decision as you would for anything involving the security of your production infrastructure 

Finally  If you do decide to implement anti-virus alongside hyper-V the exclusions you’ll need to make for Hyper-v to work are here, and you may also want to refer to Microsoft’s best practice for securing Hyper-V so you don’t even have to take my word for this!