ELAM (Early Launch Antimalware) and AVs supporting it

I've been looking for info about antiviruses and their support for ELAM on Windows 8. There is not much info about it on web and on this forum also. So I decided to start a new thread.

Here is some info about ELAM for those who don't know about it:
http://msdn.microsoft.com/en-us/library/windows/desktop/hh848061(v=vs.85).aspx

I was looking which AVs support it and could only find these:
Kaspersky: http://www.kaspersky.com/windows-8
Symantec: http://www.symantec.com/business/support/index?page=content&id=HOWTO81107
Bitdefender: http://www.bitdefender.com/solutions/windows-8-security.html
McAfee: https://kc.mcafee.com/corporate/index?page=content&id=KB65784
TrendMicro: http://esupport.trendmicro.com/solution/en-US/1095123.aspx
AVG: Google search found some mentions of their ELAM driver.

For others I didn't find any reference to ELAM support.

Any additional information about AVs supporting it and your experience with it would be greatly appreciated.

 

ZoneAlarm Internet Security Suite

 

When I've checked Microsoft's ELAM driver requirements, I found out that one requirement is:

So I decided to do a little test with AVs and check which AVs store driver in c:\Windows\ELAMBKUP\

I conducted my test in VirtualBox with Windows 8.1 x64 guest system. System has all updates installed.
I downloaded latest versions of different AVs and installed them using default settings. After installation I rebooted VM and checked if there was an AV driver in C:\Windows\ELAMBKUP\

I don't know if this is correct way to check ELAM support but here are my results:



Regards

 

@Simplicity
Nice idea. And I think it's a good way to check this.

Great table!

 

Thank you @rugk . Testing took me 6 hours but it was interesting to see how different AVs install and behave during and right after install

 

@Simplicity

Nice job

 

Thnx @SweX

 

Heh love how each vendor chose to use a version of elam to name the driver, while AVG names it to avgboota.
Btw it seems that CIS 7.0.317799.4142 doesn't have the backup driver in my computer, maybe you would like to add it to the table.

 

This is a snippet from avast! Blog which is not online anymore in the old form. If avast! 7 already had ELAM support, avast! 2015 should have it as well...

EDIT:
Actually i found it here:
http://press.avast.com/avast-software-the-new-avast-7-free-antivirus-is-here

 

@phalanaxus Thanks I added CIS and tested additional 15 AVs.

@RejZoR I will recheck Avast.

 

@RejZoR
I rechecked Avast and couldn't find ELAM driver in C:\Windows\ELAMBKUP\.
In Microsoft's ELAM Prerequisites we can read:

I checked all other ELAM drivers that I've collected and all of them were signed by "Microsoft Windows Early Launch Anti-malware Publisher". After Avast installation I couldn't find a driver signed by this publisher. All Avast drivers were signed by Avast itself.
IDK, they might integrate ELAM driver without following Microsoft's design guide?

 

Could be. I guess avast! staff would be the best way to find out.

 

Its not possible for Avast to do that. The reason why it needs to be signed by Microsoft is because the OS will only launch Microsoft files first before anything else, so if its not signed by Microsoft, it cannot enjoy being launched early. If you can't find drivers from avast signed by Microsoft, it means Avast is not using ELAM.

 

Thank you for clarification. If this is how OS will boot then I guess Avast is not using ELAM driver. It makes sense also, otherwise everyone could release ELAM driver - even bad guys, who would sign it with stolen certificates.

 

I was wondering if my current system would support ELAM but it's a Windows 7 system updated to Tech Preview and my hardware doesn't support UEFI (Unified Extensible Firmware Interface) "Secure Boot" so unfortunately not. No UEFI no ELAM.

 

From Windows 8 Boot Security FAQ:

 

Thanks, I activated Windows Defender based on that.

 

I retested some of more popular AVs and here are new results:

 

I imagine anyone on 8 or 10 would have that driver? I have the Wdboot.sys driver and only have WD set for manual scans.

 

The default Win 10 ELAM driver is wdboot.sys. It is use by Windows Defender. Most third party AV software will disable Windows Defender as part of their installation processes. When that occurs, the wdboot.sys driver will no longer load.