Note: this material is excepted from Planning for Hyper-V Security at
As a best practice, you should NOT run any applications in the management operating system (also called a host or sometimes the Hyper-V server)—run all applications on virtual machines. By keeping the management operating system free of applications and running
a Windows Server 2008 core installation, you will need fewer updates to the management operating system because nothing requires software updates except the Server Core installation, the Hyper-V service components, and the hypervisor.
If you choose to run programs in the management operating system, you should also run your antivirus solution there and add the following to the antivirus exclusions to avoid negative performance impacts to all Virtual Machines running on that host:
All folders containing VHD, VHDX, AVHD, AVHDX, VSV and ISO files
Default virtual machine configuration directory, if used C:\ProgramData\Microsoft\Windows\Hyper-V
Default snapshot files directory, if used %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
Custom virtual machine configuration directories, if applicable
Virtual machine virtual hard disk files directory. By default, it is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks.
Custom virtual hard disk drive directories
Snapshot files directory. By default, it is %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots.
Vmms.exe (Note: May need to be configured as process exclusions within the antivirus software)
Vmwp.exe (Note: May need to be configured as process exclusions within the antivirus software)
Additionally, when you use Cluster Shared Volumes, exclude the CSV path
C:\ClusterStorage and all its subdirectories.
Are the exclusions for 'real-time' (on-access) scanning or the 'full scans' (on-demand scans) or both?
Using the guidance above was a good start to find a working exclusion policy for Hyper-V on Server 2012, but a few additions for our specific environment..
\Device\CSV* + subdirectories (CSVVolumeX folders would be created by Hyper-V, with X incrementing each time)
C:\ProgramData\Microsoft\Windows\Hyper-V\ - all subdirectories, not just the ones listed above.
These additions along with the directories and 2 processes above were added to a McAfee low-risk process policy, and now we have no issues creating snapshots or new VM's.
To track down problems in your environment, I suggest running up a procmon session and watching the mcshield.exe process; it will help clue you in. When the exclusions are not right, we saw McAfee go haywire - tens of thousands of reads every few seconds and higher CPU utilization, until the McShield service was restarted. When the exclusions are right, you will see a tiny bit of chatter in procmon, but nothing crazy.
The hard part in building the exclusion policy was that procmon would show access via hardware device (example \\wwn\guid\something) - finding commonalities to exclude in a policy was the key.