The parent operating system in Hyper-V is windows server and it’s a relatively simple matter to install your standard anti-malware tools on it, but is this a good idea? You can in fact install all sorts of applications and roles in the parent/physical operating system, and the guidance from Microsoft for production environments is not to. However this article doesn’t advise for or against installing anti-virus it just tells you what to do if you decide to implement it.
In this post I wanted to give you my thoughts on it so you can make an informed decision
The case for not installing anti-Virus
Anti-Virus is one part of a suite of processes and technology to ensure your applications aren’t corrupted or prevented from working. Assuming this is a high priority, you’ll want to also consider the following:
Having done all of that what exactly is the anti virus going to check for? It can’t protect against zero day attacks, and it can’t be set to monitor the virtual machines files (VHDs etc.) and services associated with hyper-V as this will cause it to fail. Note you will certainly have anti-virus agents running in the guest virtual machines to protect them.
The case for installing anti virus
You have done a detailed risk assessment and have established that in your own environment there is a need for anti-virus alongside hyper-V.
The most common argument in favour I hear is that it is company policy, and even though that was not made with Hyper-V in mind you may have no alternative but to do so.
What I would not recommend, is doing this or not doing this just because you read it on a random post, or picked it up as hearsay – make in informed decision as you would for anything involving the security of your production infrastructure
Finally If you do decide to implement anti-virus alongside hyper-V the exclusions you’ll need to make for Hyper-v to work are here, and you may also want to refer to Microsoft’s best practice for securing Hyper-V so you don’t even have to take my word for this!
Very good article, and something I had not really thought about before.
With Windows Server 2012 you do not have to have agents installed on your virtual machines, you can use agentless anti-virus available for Hyper-V now.
Fair point, but my argument here is why you need it as much as how to install and use anti-viruses on your hypervisors. I didn't mention it in my article but in the majority of cases the hosts are totally insulated from the internet, from the virtual machines (except those managing your data centre) so any attack would have to come via an internal source and those should already be protected.
So all I am saying is don't do it because you can, don't do it by default do it because you have a well defined security policy in place
OK, I see now.
Agentless anti-virus is actually meant to protect the virtual machines first of all.
Defined security policy is absolutely essential, I agree.
Main differences between agent-based and agentless approaches:
1. agent-based - old-school meant to be used on physical environments;
agentless - modern, provides native support for virtual environments.
2. agent-based - consumes vCPU, reduces performance;
agentless - does not consume vCPU, does not reduce performance.