Hyper-V scan

This type of scan allows you to scan the disks of a Microsoft Hyper-V Server, which is a virtual machine (VM), without the need to have any Agent installed on the VM. The ESET security is installed using Administrative privileges for the Hyper-V server.

Current version of Hyper-V scan supports scanning of online or offline virtual system in Hyper-V. Supported types of scanning according to hosted Windows Hyper-V system and state of virtual system are shown here:

Virtual systems with Hyper-V feature

Windows Server 2008 R2 Hyper-V

Windows Server 2012 Hyper-V

Windows Server 2012 R2 Hyper-V

Windows Server 2016 Hyper-V

online VM

no scan

read-only

read-only

read-only

offline VM

read-only/cleaning

read-only/cleaning

read-only/cleaning

read-only/cleaning

Hardware requirements

The server should have no performance issues running Virtual Machines. Scanning activity primarily uses CPU resources.

To scan online VMs, free disk space is required. Disk space must be at least double the space used by checkpoints/snapshots and virtual disks.

Specific limitations

Scanning on RAID storage, Spanned Volumes and Dynamic Disks are not supported due to the nature of Dynamic Disks. Therefore, we recommend that you avoid using the Dynamic Disk type in your VMs if possible.

Scanning is always performed the current VM and does not affect checkpoints or snapshots.

Hyper-V running on a host in a cluster is currently not supported by ESET Mail Security.

Virtual Machines on a Hyper-V host running on Windows Server 2008 R2 can only be scanned in read-only mode (No cleaning), regardless of what cleaning level is selected in ThreatSense parameters.

note_icon_note NOTE

While ESET Security supports the scan of virtual disk MBRs, read-only scanning is the only method supported for these targets. This setting can be changed in Advanced setup > Computer > Hyper-V scan > ThreatSense parameters > Boot sectors.

Virtual Machine to be scanned is "offline" - switched Off state

ESET Mail Security uses Hyper-V Management to detect and to connect to virtual disks. This way, ESET Mail Security has the same access to the content of the virtual disks it does when accessing data and files on any generic drive.

Virtual Machine to be scanned is "online" - Running, Paused, Saved state

ESET Mail Security uses Hyper-V Management to detect virtual disks. Actual connection to these the disks is not possible. Therefore, ESET Mail Security creates a checkpoint/snapshot of the Virtual Machine, then connects to the checkpoint/snapshot. Once the scan is completed, the checkpoint/snapshot is deleted. This means that read-only scan can be performed because the running Virtual Machine(s) are unaffected by scan activity.

Allow up to one minute for ESET Security to create a snapshot or checkpoint during scanning. You should take this into account when running a Hyper-V scan on a larger number of Virtual Machines.

Naming convention

The module of Hyper-V Scan uses the following naming convention:

VirtualMachineName\DiskX\VolumeY

where X is the number of disks and Y is the number of volumes.

for example, “Computer\Disk0\Volume1”.

The number suffix is added based on the order of detection, and is identical to the order seen in the Disk Manager of the VM.

This naming convention is used in the tree-structured list of targets to be scanned, in the progress bar and also in the log files.

Executing a scan

A scan can be executed 3 ways:

On-demand - Click Hyper-V Scan to view a list of Virtual Machines and volumes available for scanning.

Select the Virtual Machine(s), disk(s) or volume(s) you want to scan and click Scan.

Via the scheduler.

Via ESET Remote Administrator  as a Client Task called Server Scan.

It is possible to execute several Hyper-V scans simultaneously.

You will receive a notification with a link to log files when a scan is complete.

Possible issues

When executing the scan of an online Virtual Machine, a checkpoint/snapshot of the particular Virtual Machine has to be created and during the creation of a checkpoint/snapshot some generic actions of the Virtual Machine might be limited or disabled.

If an offline Virtual Machine is being scanned, it cannot be turned on until the scan is finished.

Hyper-V Manager allows you to name two different Virtual Machines identically and this presents an issue when trying to differentiate the machines while reviewing the scan logs.