Hyper-V scan

Current version of Hyper-V scan supports scanning of online or offline virtual system in Hyper-V. Supported types of scanning according to hosted Windows Hyper-V system and state of virtual system are shown here:

Virtual systems with Hyper-V feature

Online VM

Offline VM

Windows Server 2022 Hyper-V

read-only

read-only/cleaning

Windows Server 2019 Hyper-V

read-only

read-only/cleaning

Windows Server 2016 Hyper-V

read-only

read-only/cleaning

Windows Server 2012 R2 Hyper-V

read-only

read-only/cleaning

Windows Server 2012 Hyper-V

read-only

read-only/cleaning

Windows Server 2008 R2 SP1 Hyper-V

no scan

read-only/cleaning

Hardware requirements

The server should have no performance issues running Virtual Machines. Scanning activity primarily uses CPU resources. To scan online VMs, free disk space is required. Disk space must be at least double the space used by checkpoints/snapshots and virtual disks.

Specific limitations

Scanning on RAID storage, Spanned Volumes and Dynamic Disks exlink are not supported due to the nature of Dynamic Disks. Therefore, we recommend that you avoid using the Dynamic Disk type in your VMs if possible.

Scanning is always performed on the current VM and does not affect checkpoints or snapshots.

Hyper-V running on a host in a cluster is currently not supported by ESET Mail Security.

Virtual Machines on a Hyper-V host running on Windows Server 2008 R2 SP1 can only be scanned in read-only mode (No cleaning), regardless of what cleaning level is selected in ThreatSense parameters.


NOTE

While ESET Security supports the scan of virtual disk MBRs, read-only scanning is the only method supported for these targets. This setting can be changed in Advanced setup (F5) > Computer > Hyper-V scan > ThreatSense parameters > Boot sectors.

Virtual Machine to be scanned is "offline" - switched Off state

ESET Mail Security uses Hyper-V Management to detect and to connect to virtual disks. This way, ESET Mail Security has the same access to the content of the virtual disks it does when accessing data and files on any generic drive.

Virtual Machine to be scanned is "online" - Running, Paused, Saved state

ESET Mail Security uses Hyper-V Management to detect virtual disks. Actual connection to these the disks is not possible. Therefore, ESET Mail Security creates a checkpoint/snapshot of the Virtual Machine, then connects to the checkpoint/snapshot. Once the scan is completed, the checkpoint/snapshot is deleted. This means that read-only scan can be performed because the running Virtual Machine(s) are unaffected by scan activity.

Allow up to one minute for ESET Mail Security to create a snapshot or checkpoint during scanning. You should take this into account when running a Hyper-V scan on a larger number of Virtual Machines.

Naming convention

The module of Hyper-V Scan uses the following naming convention:

VirtualMachineName\DiskX\VolumeY

Where X is the number of disks and Y is the number of volumes. For example:

Computer\Disk0\Volume1

The number suffix is added based on the order of detection, and is identical to the order seen in the Disk Manager of the VM. This naming convention is used in the tree-structured list of targets to be scanned, in the progress bar and also in the log files.

Executing a scan

On-demand - Click Hyper-V Scan to view a list of Virtual Machines and volumes available for scanning. Select the Virtual Machine(s), disk(s) or volume(s) you want to scan and click Scan.

To create a scheduler task.

Via ESET PROTECT as a Client Task called Server Scan exlink.

Hyper-V scan can be managed and started via eShell.

It is possible to execute several Hyper-V scans simultaneously. You will receive a notification with a link to log files when a scan is complete.

Possible issues

When executing the scan of an online Virtual Machine, a checkpoint/snapshot of the particular Virtual Machine has to be created and during the creation of a checkpoint/snapshot some generic actions of the Virtual Machine might be limited or disabled.

If an offline Virtual Machine is being scanned, it cannot be turned on until the scan is finished.

Hyper-V Manager allows you to name two different Virtual Machines identically and this presents an issue when trying to differentiate the machines while reviewing the scan logs.