Managing early launch anti-malware (ELAM) detections

Article:HOWTO81107  |  Created: 2012-10-24  |  Updated: 2014-09-21  |  Article URL
Article Type
How To


Managing early launch anti-malware (ELAM) detections

Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. Malicious software can load as a driver or rootkits might attack before the operating system completely loads and Symantec Endpoint Protection starts. Rootkits can sometimes hide themselves from virus and spyware scans. Early launch anti-malware detects these rootkits and bad drivers at startup.


ELAM is only supported on Microsoft Windows 8 and Windows Server 2012.

Symantec Endpoint Protection provides an ELAM driver that works with the Windows ELAM driver to provide the protection. The Windows ELAM driver must be enabled for the Symantec ELAM driver to have any affect.

You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows documentation for more information.

Table: Managing ELAM detections



View the status of ELAM on your client computers

You can see whether Symantec Endpoint Protection ELAM is enabled in the Computer Status log.

See Viewing logs.

View ELAM detections

You can view early launch anti-malware detections in the Risk log.

When Symantec Endpoint Protection ELAM is configured to report detections of bad or bad critical drivers as unknown to Windows, Symantec Endpoint Protection logs the detections as Log only. By default, Windows ELAM allows unknown drivers to load.

See Viewing logs.

Enable or disable ELAM

You might want to disable Symantec Endpoint Protection ELAM to help improve computer performance.

See Adjusting the Symantec Endpoint Protection early launch anti-malware (ELAM) options.

See Adjusting scans to improve computer performance.

Adjust ELAM detection settings if you get false positives

The Symantec Endpoint Protection ELAM settings provide an option to treat bad drivers and bad critical drivers as unknown. Bad critical drivers are the drivers that are identified as malware but are required for computer startup. You might want to select the override option if you get false positive detections that block an important driver. If you block an important driver, you might prevent client computers from starting up.


ELAM does not support a specific exception for an individual driver. The override option applies globally to ELAM detections.

See Adjusting the Symantec Endpoint Protection early launch anti-malware (ELAM) options.

Run Power Eraser on ELAM detections that Symantec Endpoint Protection cannot remediate

In some cases, an ELAM detection requires Power Eraser. In those cases, a message appears in the log suggesting that you run Power Eraser. You can run Power Eraser from the console. Power Eraser is also part of the Symantec Help tool. You should run Power Eraser in rootkit mode.

See Starting Power Eraser analysis from Symantec Endpoint Protection Manager.

See Troubleshooting computer issues with the Symantec Help support tool.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices