Why Exclusions are Necessary for Virtualization
SentinelOne Singularity provides robust endpoint protection through deep kernel integration. However, the same monitoring technology can conflict with the high-performance requirements of Microsoft Hyper-V. Virtual machine operations require low-latency access to large disk files and memory regions.
Hyper-V uses the Virtual Machine Worker Process to manage individual instances. This process performs frequent writes to VHDX and AVHDX files. SentinelOne monitors these file operations in real time. Without proper configuration, the agent can cause file locking conflicts that interrupt virtual machine stability.
These conflicts often manifest as sluggish performance or failed live migrations. In severe cases, the host may prevent a virtual machine from starting because the VHDX file is held by the security agent. Implementing vendor-specific exclusions prevents these bottlenecks. This strategy maintains security visibility without sacrificing server throughput.
Navigating the SentinelOne Management Console
Configuring exclusions requires administrative access to the SentinelOne Management Console. All changes should be applied at the appropriate scope to ensure consistency across the environment. Use the Global or Account scope for universal policies, or the Site scope for specific clusters.
Start by logging into your console and selecting the Sentinels menu from the left sidebar. Click on the Exclusions tab at the top of the interface. This panel displays all currently active exclusions for the selected scope. You will see categories for Path, Hash, and Certificate.
Click the New Exclusion button to open the configuration panel. You must choose the correct Exclusion Type for each entry. For Hyper-V components, you will primarily use Path and Directory types. Ensure you select the correct OS version, which is Windows for Hyper-V environments.
The Hyper-V Exclusion List
Effective exclusions must cover service processes, configuration directories, and storage locations. Microsoft recommends excluding several default paths and processes to ensure reliable operation. If you use custom storage locations, adapt these paths to match your environment.
Directory Exclusions
Directory exclusions prevent the agent from scanning large virtualization files that are known to be safe. These should generally be set to Interoperability mode in the SentinelOne console. This mode tells the agent to allow the activity while still monitoring for malicious patterns.
- Default Configuration Directory:
%ProgramData%\Microsoft\Windows\Hyper-V. This folder contains the virtual machine configuration files and snapshots. Interruption here can cause the host to lose track of VM states. - Default Virtual Disk Storage:
%SystemDrive%\Users\Public\Documents\Hyper-V\Virtual Hard Disks. Many admins move this location to a dedicated data drive. If you use a D or E drive for storage, exclude those specific paths. - Cluster Shared Volumes:
C:\ClusterStorage\*. For organizations running Hyper-V clusters, this directory is critical. It hosts the shared storage for all nodes in the cluster.
Process Exclusions
Process exclusions prevent the agent from injecting code or monitoring every operation of the Hyper-V management tools. These processes are trusted system components. Monitoring them adds unnecessary overhead to the CPU and disk queue.
- Virtual Machine Management Service:
%systemroot%\System32\Vmms.exe. This is the primary management service for Hyper-V. It coordinates all VM operations on the host. - Virtual Machine Worker Process:
%systemroot%\System32\Vmwp.exe. Each running virtual machine has its own instance of this process. High CPU usage on the host is often caused by security agents scanning this process activity. - Snapshot Operations:
%systemroot%\System32\Vmsnap.exe. This process handles the creation and merging of virtual machine checkpoints. Failures here lead to orphaned snapshots and disk bloat.
File Extension Exclusions
If your security policy allows it, you can also exclude specific file extensions. This is helpful when virtual disks are spread across many different folders. Use this as a secondary measure to complement directory exclusions.
- .vhd and .vhdx: These are the primary virtual hard disk formats. They are often several hundred gigabytes in size.
- .avhdx: These are differencing disks used for snapshots. They are frequently written to during normal operation.
- .iso: Virtual media files used for operating system installations. Scanning these during a boot process can slow down VM startup times.
Verifying Exclusion Implementation
Once you save the exclusions in the console, they must propagate to the local agents. This process typically takes a few minutes. You can verify that the settings are active through the Management Console or the local server command line.
In the Management Console, navigate to the Sentinels list and select a host. View the Policy tab for that specific agent. You should see a list of applied exclusions. If the list is empty, ensure the agent has checked in recently.
On the local server, use PowerShell to monitor Hyper-V performance. Run the command Get-VM to ensure all machines are in a Running state. Check the Windows Event Viewer under Applications and Services Logs. Look for Microsoft-Windows-Hyper-V-VMMS events to confirm there are no file access errors.
Common Pitfalls
A common mistake is applying a Path exclusion when a Directory exclusion is required. If you are excluding a folder, make sure the recursive option is enabled. This ensures that subfolders containing disk images are also protected from interference.
Another pitfall is using the wrong exclusion mode. SentinelOne offers Performance, Interoperability, and Suppress modes. Using Suppress mode on a critical system process can hide actual threats. Interoperability is the balanced choice for virtualization hosts.
Avoid using environment variables that the local system might not recognize. While %ProgramData% is standard, hardcoding the full path is often more reliable. C:\ProgramData\Microsoft\Windows\Hyper-V is clearer and less prone to resolution errors. Always double check for trailing backslashes in your paths.
Authoritative Resources
Microsoft maintains a list of recommended antivirus exclusions for all server roles. This list is updated whenever new versions of Hyper-V are released. You should review these recommendations at least once per year or after major OS upgrades.
For the latest technical bulletins and agent compatibility notes, visit the SentinelOne resources center. You can find detailed implementation guides at https://www.sentinelone.com/resources/. Their documentation provides the most current strings for process names and service paths across different agent versions.