ELAM (Early Launch Antimalware) and AVs supporting it

itman · Apr 4, 2022

If Webroot, or any AV for that matter, is using an ELAM driver, it must be located in the Win drivers directory. Below is a screen shot of Eset's ELAM driver.

Also, for an AV to be registered in MS Security Center, it must be using a MS signed ELAM driver.

Triple Helix · Apr 4, 2022

From the Webroot Log!

Mon 2022-04-04 10:46:17.0556 ScriptShield active config: 2S(2) yes, SR(2) yes, SSH yes, FLR no, RUD yes, SDE(2) yes, DSR no, DQT 65536, MFS 100, USE yes, UNR no
Mon 2022-04-04 10:46:17.0704 ELAM applicable: yes, driver present yes, driver registered yes, PPL: yes, PPL configured: yes, mandated: yes

3+ years ago when Beta Testing!

The driver is an Early Launch Anti-Malware (or ELAM) driver. Some of you may already be familiar with this.

We are interested to learn of any problems or issues you experience with this new component on your systems. Here is the important information:

WSA will only install and enable ELAM on Windows 10 version 1803 and greater (OS Build 17134.xxx).

WSA version must be 9.0.24.28 or higher to enable ELAM.

ELAM is necessary to start the WSA service as a protected process (PPL). Starting WSA as a protected process is required with the Windows 10 update 19H1 coming in April.

The ELAM driver itself is called “WRboot.sys” and it lives in C:\Windows\System32\drivers. It loads briefly at boot to validate our service as a protected process. If the system boots, ELAM is likely not causing a problem.

When ELAM is on for any eligible system WRLog.log will show at least one entry that looks like this:

Wed 2019-02-13 20:04:34.0306 ELAM applicable: yes, driver present yes, driver registered yes, PPL: yes, PPL configured: yes

Most systems will receive the configuration change within 18 hours. Please report any issues or questions to this thread.

Thanks!

Brad
Click to expand...

BoerenkoolMetWorst · Apr 4, 2022

Minimalist said: ↑

If you check digital signature, is it signed by Microsoft with Signer information called MS ELAM as shown below?

View attachment 272084
Click to expand...

Yes.

itman said: ↑

Also, for an AV to be registered in MS Security Center, it must be using a MS signed ELAM driver.
Click to expand...

Interesting. So almost all AV's already use ELAM or they wouldn't be able to register as an AV.

1PW · Apr 4, 2022

Hello All:

As I am not in the employ of Malwarebytes Corporation et al, therefore my non-authoritative contribution is:

Malwarebytes for Windows Premium has employed Early Launch AntiMalware for approximately five years encompassing versions that first appeared in late MB3 and all of MB4 to present. Some of this feature is within the kernel driver filename MbamElam.sys and others.

HTH

Log in or Sign up

ELAM (Early Launch Antimalware) and AVs supporting it

itman Registered Member

Triple Helix Specialist

BoerenkoolMetWorst Registered Member

1PW Registered Member

Log in or Sign up

ELAM (Early Launch Antimalware) and AVs supporting it

itman Registered Member

Triple Helix Specialist

BoerenkoolMetWorst Registered Member

1PW Registered Member

Useful Searches