There’s a major potential issue if you do a default installation of anti-virus or anti-malware on a Hyper-V parent partition (host operating system). If you don’t have file/folder exclusions in place then your VM’s may fail to start or even disappear from your console. I experienced this issue before. MS got involved and couldn’t rescue the missing VM configurations (the VHD’s were fine so I rebuilt the VM configurations).
Ben Armstrong offers two configurations:
- Don’t install AV on the parent partition. This is the one I recommend and I use. The parent partitions are on a secure and isolated network anyway.
- Install AV and enforce certain configurations.
Ben says the following should be excluded from scans to configure that installed AV:
- Default virtual machine configuration directory (Normally this is C:ProgramDataMicrosoftWindowsHyper-V)
- Custom virtual machine configuration directories
- Default virtual hard disk directory (Normally this is C:UsersPublicDocumentsHyper-VVirtual Hard Disks)
- Custom virtual hard disk directories
- Snapshot directories
- Vmms.exe
- Vmwp.exe
My issue with this is that it’s very easy for a s/w upgrade or an operator mistake to cripple half of your network in an instant. That’s why I’m pretty vociferous on not installing AV on the parent partition.
To protect yourself, leave that Windows Firewall up, don’t install anything other than Hyper-V and management agents on the Hyper-V parent partition (host operating system) and don’t browse from it.