ELAM (Early Launch Antimalware) and AVs supporting it

Discussion in 'other anti-malware software' started by Minimalist, Oct 19, 2014.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I've been looking for info about antiviruses and their support for ELAM on Windows 8. There is not much info about it on web and on this forum also. So I decided to start a new thread.

    Here is some info about ELAM for those who don't know about it:
    http://msdn.microsoft.com/en-us/library/windows/desktop/hh848061(v=vs.85).aspx

    I was looking which AVs support it and could only find these:
    Kaspersky: http://www.kaspersky.com/windows-8
    Symantec: http://www.symantec.com/business/support/index?page=content&id=HOWTO81107
    Bitdefender: http://www.bitdefender.com/solutions/windows-8-security.html
    McAfee: https://kc.mcafee.com/corporate/index?page=content&id=KB65784
    TrendMicro: http://esupport.trendmicro.com/solution/en-US/1095123.aspx
    AVG: Google search found some mentions of their ELAM driver.

    For others I didn't find any reference to ELAM support.

    Any additional information about AVs supporting it and your experience with it would be greatly appreciated.
     
    Last edited: Oct 19, 2014
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    When I've checked Microsoft's ELAM driver requirements, I found out that one requirement is:
    So I decided to do a little test with AVs and check which AVs store driver in c:\Windows\ELAMBKUP\

    I conducted my test in VirtualBox with Windows 8.1 x64 guest system. System has all updates installed.
    I downloaded latest versions of different AVs and installed them using default settings. After installation I rebooted VM and checked if there was an AV driver in C:\Windows\ELAMBKUP\

    I don't know if this is correct way to check ELAM support but here are my results:

    Test.jpg

    Regards
     
    Last edited: Oct 25, 2014
  4. rugk

    rugk Registered Member

    Joined:
    Aug 6, 2014
    Posts:
    11
    @Simplicity
    Nice idea. And I think it's a good way to check this.

    Great table! :)
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Thank you @rugk . Testing took me 6 hours but it was interesting to see how different AVs install and behave during and right after install :)
     
  6. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  8. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    509
    Heh love how each vendor chose to use a version of elam to name the driver, while AVG names it to avgboota.
    Btw it seems that CIS 7.0.317799.4142 doesn't have the backup driver in my computer, maybe you would like to add it to the table.
     
  9. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    This is a snippet from avast! Blog which is not online anymore in the old form. If avast! 7 already had ELAM support, avast! 2015 should have it as well...

    EDIT:
    Actually i found it here:
    http://press.avast.com/avast-software-the-new-avast-7-free-antivirus-is-here
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    @phalanaxus Thanks I added CIS and tested additional 15 AVs.

    @RejZoR I will recheck Avast.
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    @RejZoR
    I rechecked Avast and couldn't find ELAM driver in C:\Windows\ELAMBKUP\.
    In Microsoft's ELAM Prerequisites we can read:
    I checked all other ELAM drivers that I've collected and all of them were signed by "Microsoft Windows Early Launch Anti-malware Publisher". After Avast installation I couldn't find a driver signed by this publisher. All Avast drivers were signed by Avast itself.
    IDK, they might integrate ELAM driver without following Microsoft's design guide?
     
  12. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Could be. I guess avast! staff would be the best way to find out.
     
  13. Cch123

    Cch123 Registered Member

    Joined:
    Oct 27, 2013
    Posts:
    15
    Its not possible for Avast to do that. The reason why it needs to be signed by Microsoft is because the OS will only launch Microsoft files first before anything else, so if its not signed by Microsoft, it cannot enjoy being launched early. If you can't find drivers from avast signed by Microsoft, it means Avast is not using ELAM.
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Thank you for clarification. If this is how OS will boot then I guess Avast is not using ELAM driver. It makes sense also, otherwise everyone could release ELAM driver - even bad guys, who would sign it with stolen certificates.
     
  15. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    I was wondering if my current system would support ELAM but it's a Windows 7 system updated to Tech Preview and my hardware doesn't support UEFI (Unified Extensible Firmware Interface) "Secure Boot" so unfortunately not. No UEFI no ELAM.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Windows 8 Boot Security FAQ:
     
  17. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
  18. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I retested some of more popular AVs and here are new results:

    upload_2017-1-21_22-4-0.png
     
  19. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I imagine anyone on 8 or 10 would have that driver? I have the Wdboot.sys driver and only have WD set for manual scans.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The default Win 10 ELAM driver is wdboot.sys. It is use by Windows Defender. Most third party AV software will disable Windows Defender as part of their installation processes. When that occurs, the wdboot.sys driver will no longer load.
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Today I retested AVs for ELAM support and most of them are supporting it now:

    upload_2020-6-20_22-37-43.png
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    One notable exception - Norton/Symantec.
     
  23. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    They wanted my credit card to test it so I didn't bother with it. Since they've had ELAM driver in previous test I made in 2017, they most likely have it now also.

    EDIT: other AVs I've had trouble obtaining trial/install/register... are: Sophos, K7, Webroot, Comodo.
     
    Last edited: Jun 20, 2020
  24. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    I just came across this thread as ELAM was mentioned in the ESET thread. I was curious about Webroot since I used Prevx a lot and Webroot SecureAnywhere in the early days. I installed the trial (v9.0.31.84) and there is NO Webroot file in C:\Windows\ELAMBKUP\.

    EDIT: I did check C:\Windows\ELAMBKUP\ immediately after rebooting, and there was still no Webroot file there. However, a little later WRBoot.sys appeared. If I check the Details tab in File Properties however, there is no description, name, file version etc.
     
    Last edited: Apr 4, 2022
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    If you check digital signature, is it signed by Microsoft with Signer information called MS ELAM as shown below?

    upload_2022-4-4_15-46-8.png
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.