A route to accessing Windows Early Launch Antimalware (ELAM).
Anti-malware products monitor Microsoft Windows for malware. They try to notice when new, unwanted software runs, but some malware can be extra sneaky and hide. To get ahead of the game anti-malware products can start monitoring the system early, before other software applications start. The security software then watches as the various programs load during the Windows boot-up process.
Early Launch AntiMalware
While it is possible to run anti-malware software before other programs, it requires access to a special feature built into Windows. This is called Early Launch AntiMalware (ELAM).
Security vendors can create ELAM drivers that load earlier than many other applications. This gives them an early view on the system and they could potentially prevent malicious drivers and other malware from loading when Windows starts up.
As Microsoft puts it, “AM drivers are initialized first and allowed to control the initialization of subsequent boot drivers, potentially not initializing unknown boot drivers.”
How to get in early
Vendors can’t just write a special driver and wedge it into the early stages of the Windows boot process, though. It has to meet various requirements. These include:
- Being a member of the Microsoft Virus Initiative (MVI)
- Submitting the driver to Microsoft’s Windows Hardware Quality Lab (WHQL)
SE Labs works with Microsoft to help security vendors gain access to this important feature. While we can’t help companies to write their drivers, we can help with MVI membership. Each MVI member must have its security solution certified annually by a recognised testing organisation. SE Labs is one such test lab.
For example, a product that achieves at least an ‘A’ rating in an SE Labs enterprise, small business or home user endpoint protection tests subsequently fulfills Microsoft’s certification requirement.