Note: this material is excepted from Planning for Hyper-V Security at
All folders containing VHD, VHDX, AVHD, AVHDX, VSV and ISO files
Default virtual machine configuration directory, if used C:\ProgramData\Microsoft\Windows\Hyper-V
Default snapshot files directory, if used %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
Custom virtual machine configuration directories, if applicable
Virtual machine virtual hard disk files directory. By default, it is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks.
Custom virtual hard disk drive directories
Snapshot files directory. By default, it is %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots.
Vmms.exe (Note: May need to be configured as process exclusions within the antivirus software)
Vmwp.exe (Note: May need to be configured as process exclusions within the antivirus software)
Additionally, when you use Cluster Shared Volumes, exclude the CSV path
C:\ClusterStorage and all its subdirectories.
Are the exclusions for 'real-time' (on-access) scanning or the 'full scans' (on-demand scans) or both?
Using the guidance above was a good start to find a working exclusion policy for Hyper-V on Server 2012, but a few additions for our specific environment..
\Device\CSV* + subdirectories (CSVVolumeX folders would be created by Hyper-V, with X incrementing each time)
C:\ProgramData\Microsoft\Windows\Hyper-V\ - all subdirectories, not just the ones listed above.
These additions along with the directories and 2 processes above were added to a McAfee low-risk process policy, and now we have no issues creating snapshots or new VM's.
To track down problems in your environment, I suggest running up a procmon session and watching the mcshield.exe process; it will help clue you in. When the exclusions are not right, we saw McAfee go haywire - tens of thousands of reads every few seconds and higher CPU utilization, until the McShield service was restarted. When the exclusions are right, you will see a tiny bit of chatter in procmon, but nothing crazy.
The hard part in building the exclusion policy was that procmon would show access via hardware device (example \\wwn\guid\something) - finding commonalities to exclude in a policy was the key.
If using McAfee refer to Technical Articles ID: KB78364 kc.mcafee.com/.../index