8

I have a 2012 R2 Hyper-V host running System center endpoint protection. There are two virtual windows servers being hosted by it.

I have all .vhdx drives in a folder on d:/server/

Can I trust the antivirus to scan these files and find viruses or do I need to have an antiviurus program in each virtual machine?

If I scan these files manually endpoint protection almost immediately returns no viruses found, which makes me wonder if its even trying to scan them.

Rob
  • 335
  • 3
  • 15
JensB
  • 259
  • 1
  • 3
  • 15

4 Answers4

7

No, you should not be using AV software on the host to scan your VHD location. You can install AV software on the host but you need to exclude several Hyper-V related folders from the real time AV scanning engine and from any scheduled AV scans. You should then install AV software on the individual guest virtual machines.

https://support.microsoft.com/en-us/kb/961804

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
6

You need to install AV which is specially designed for Hyper-V. It will install itself into host but it will scan VMs and their vRAM, on-disk images and also intercept traffic between VMs and host routed over vSwitch. 5nine has one (I'm not working for them it's just an example).

http://www.5nine.com/5nine-security-for-hyper-v-product.aspx

BaronSamedi1958
  • 12,510
  • 1
  • 20
  • 46
  • While this is certainly an option, it isn't required. You can continue to use whatever endpoint AV software you use for the physical machines on the virtual machines, which is what many companies do. – joeqwerty Jun 14 '16 at 14:27
3

@BaronSamedi is right, best approach is a VM-aware agentless AV solution. 5nine has 3 AV options to choose from including Vipre, Kaspersky, and IIRC ThreatTrack. An alternative may be ESET, they recently started offering agentless specifically for virtualized environments.

Stuka
  • 5,181
  • 13
  • 11
2

Good question! I would install locally each AV if you can.

Why? because if you scan the VHD you will catch only virus that hit the harddrive, but not the virus loaded in memory from a remote location, so I would consider the server at risk

If you install locally the AV be sure to disable the VHD scan too on the host, to not cause an IO problem on the host.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • 2
    Doable but with a few VMs. Lots of VMs will ask for a lot of time to install and update AV agents. – BaronSamedi1958 Jun 12 '16 at 13:26
  • 1
    @BaronSamedi1958 In enterprise I never seen a server not managed from a AV console, as anyhow no free product exist exept clamwin to be run as a AV in a server OS – yagmoth555 Jun 13 '16 at 02:27
  • 1
    @BaronSamedi1958: `Doable but with a few VMs. Lots of VMs will ask for a lot of time to install and update AV agents.` - Yes, that's what people who manage AV in the enterprise do. That's part of the job. In the vast majority of cases they use AV software that is centrally managed and deployed. – joeqwerty Jun 14 '16 at 14:26