ESET Online Help

Search English
Select the topic

Hyper-V scan

The current version of the Hyper-V scan supports scanning of the online or offline virtual system in Hyper-V. Supported types of scanning according to hosted Windows Hyper-V system and the state of the virtual system are shown here:

Virtual systems with Hyper-V feature

Online VM

Offline VM

Windows Server 2022 Hyper-V

read-only

read-only/cleaning

Windows Server 2019 Hyper-V

read-only

read-only/cleaning

Windows Server 2016 Hyper-V

read-only

read-only/cleaning

Windows Server 2012 R2 Hyper-V

read-only

read-only/cleaning

Windows Server 2012 Hyper-V

read-only

read-only/cleaning

Hardware requirements

The server should have no performance issues running Virtual Machines. Scanning activity primarily uses CPU resources. To scan online VMs, free disk space is required. Disk space must be at least double the space used by checkpoints/snapshots and virtual disks.

Specific limitations

Scanning on RAID storage, Spanned Volumes and Dynamic Disks are not supported due to the nature of Dynamic Disks. Therefore, we recommend you avoid using the Dynamic Disk type in your VMs.

Scanning is always performed on the current VM and does not affect checkpoints or snapshots.

Hyper-V running on a host in a cluster is currently not supported by ESET Server Security.


note

While ESET Security supports the scan of virtual disk MBRs, read-only scanning is the only method supported for these targets. This setting can be changed in Advanced setup (F5) > Detection engine > Hyper-V scan > ThreatSense parameters > Boot sectors.

Virtual Machine to be scanned is "offline" – switched Off state

ESET Server Security uses Hyper-V Management to detect and to connect to virtual disks. This way, ESET Server Security has the same access to the virtual disk content when accessing data and files on any generic drive.

Virtual Machine to be scanned is "online" – Running, Paused, Saved state

ESET Server Security uses Hyper-V Management to detect virtual disks. An actual connection to these disks is not possible. Therefore, ESET Server Security creates a checkpoint/snapshot of the Virtual Machine, then connects to the checkpoint/snapshot. After the scan is completed, the checkpoint/snapshot is deleted. This means that read-only scan can be performed because the running Virtual Machine(s) are unaffected by scan activity.

Enable up to one minute for ESET Server Security to create a snapshot or checkpoint during scanning. It would help if you considered this when running a Hyper-V scan on a larger number of Virtual Machines.

Naming convention

The module of Hyper-V Scan uses the following naming convention:

VirtualMachineName\DiskX\VolumeY

Where X is the number of disks and Y is the number of volumes. For example:

Computer\Disk0\Volume1

The number suffix is added based on the detection order and is identical to the order seen in the Disk Manager of the VM. This naming convention is used in the tree-structured drop-down menu of targets to be scanned in the progress bar and log files.

Executing a scan

On-demand click Hyper-V Scan to view a list of Virtual Machines and volumes available for scanning. Select the Virtual Machine(s), disk(s) or volume(s) you want to scan and click Scan.

To create a scheduler task.

Via ESET PROTECT as a Client Task called Server Scan.

Hyper-V scan can be managed and started via eShell.

You can execute several Hyper-V scans simultaneously. You will receive a notification with a link to log files when a scan is complete.

Possible issues

When executing the scan of an online Virtual Machine, a checkpoint/snapshot of the specific Virtual Machine has to be created. While creating a checkpoint/snapshot, some generic actions of the Virtual Machine might be limited or disabled.

If an offline Virtual Machine is being scanned, it cannot be turned on until the scan is finished.

Hyper-V Manager enables you to name two different Virtual Machines identically, which presents an issue when trying to differentiate the machines while reviewing the scan logs.

 

To create a new profile, select Edit next to List of profiles, enter your own Profile name and then click Add. New profile will be displayed in the Selected profile drop-down menu that lists existing scan profiles.

The Scan targets for Hyper-V drop-down menu allows you to select pre-defined scan targets:

By profile settings

Selects targets set in the selected scan profile.

All virtual machines

Selects all virtual machines.

Powered on virtual machines

Selects all online VMs.

Powered off virtual machines

Selects all offline VMs.

No selection

Clears all selections.

Click the gear gear icon, modify the interval to Stop scan if it runs longer than (minutes), and change to preferred time (anything between 1 to 2880 minutes).

Click Scan to execute the scan using the custom parameters that you have set. After all scans are finished, check Log files > Hyper-V scan.

Hyper-V & Machine learning protection

Reporting is performed by detection engine and the machine learning component.

ThreatSense parameters

To modify scan parameters for Hyper-V scan.