Insufficient data from Andrew Fryer

The place where I page to when my brain is full up of stuff about the Microsoft platform

Anti-Virus and Hyper-V, Yes or No?

Anti-Virus and Hyper-V, Yes or No?

  • Comments 4
  • Likes

The parent operating system in Hyper-V is windows server and it’s a relatively simple matter to install your standard anti-malware tools on it, but is this a good idea? You can in fact install all sorts of applications and roles in the parent/physical operating system, and the guidance from Microsoft for production environments is not to. However this article doesn’t advise for or against installing anti-virus it just tells you what to do if you decide to implement it. 

In this post I wanted to give you my thoughts on it so you can make an informed decision

The case for not installing anti-Virus

Anti-Virus is one part of a suite of processes and technology to ensure your applications aren’t corrupted or prevented from working.  Assuming this is a high priority, you’ll want to also consider the following:

  • Ensure your hyper-V servers are constantly kept up to date with the latest patches.  clustering a and live migration mean that your guest virtual machines should never have to be off line while this is done.
  • User Hyper-V server or a server core installation for Hyper-V.  This has a much smaller attack surface, e.g. there is no browser or graphical interface, and cuts patching in half.
  • As mentioned above don’t run anything else at all in the parent operating system, not even additional server roles and features.

Having done all of that what exactly is the anti virus going to check for?  It can’t protect against zero day attacks, and it can’t be set to monitor the virtual machines files (VHDs etc.) and services associated with hyper-V as this will cause it to fail. Note you will certainly have anti-virus agents running in the guest virtual machines to protect them.

 

The case for installing anti virus

You have done a detailed risk assessment and have established that in your own environment there is a need for anti-virus alongside hyper-V.

The most common argument in favour I hear is that it is company policy, and even though that was not made with Hyper-V in mind you may have no alternative but to do so.

Summary

What I would not recommend, is doing this or not doing this just because you read it on a random post, or picked it up as hearsay – make in informed decision as you would for anything involving the security of your production infrastructure 

Finally  If you do decide to implement anti-virus alongside hyper-V the exclusions you’ll need to make for Hyper-v to work are here, and you may also want to refer to Microsoft’s best practice for securing Hyper-V so you don’t even have to take my word for this!

Comments
  • Very good article, and something I had not really thought about before.

    Thanks!

  • With Windows Server 2012 you do not have to have agents installed on your virtual machines, you can use agentless anti-virus available for Hyper-V now.

  • Alexander

    Fair point, but my argument here is why you need it as much as how to install and use anti-viruses on your hypervisors.  I didn't mention it in my article but in the majority of cases the hosts are totally insulated from the internet, from the virtual machines (except those managing your data centre) so any attack would have to come via an internal source and those should already be protected.

    So all I am saying is don't do it because you can, don't do it by default do it because you have a well defined security policy in place

    Andrew  

  • Andrew,

    OK, I see now.

    Agentless anti-virus is actually meant to protect the virtual machines first of all.

    Defined security policy is absolutely essential, I agree.

    Main differences between agent-based and agentless approaches:

    1. agent-based - old-school meant to be used on physical environments;

       agentless - modern, provides native support for virtual environments.

    2. agent-based - consumes vCPU, reduces performance;

       agentless - does not consume vCPU, does not reduce performance.

    Alexander

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment