Managing early launch anti-malware (ELAM) detections
| Article:HOWTO81107 | | | Created: 2012-10-24 | | | Updated: 2013-06-06 | | | Article URL http://www.symantec.com/docs/HOWTO81107 |
Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. Malicious software can load as a driver or rootkits might attack before the operating system completely loads and Symantec Endpoint Protection starts. Rootkits can sometimes hide themselves from virus and spyware scans. Early launch anti-malware detects these rootkits and bad drivers at startup.
Symantec Endpoint Protection provides an ELAM driver that works with the Windows ELAM driver to provide the protection. The Windows ELAM driver must be enabled for the Symantec ELAM driver to have any affect.
You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows 8 documentation for more information.
Table: Managing ELAM detections
Task | Description | ||
|---|---|---|---|
View the status of ELAM on your client computers | You can see whether Symantec Endpoint Protection ELAM is enabled in the Computer Status log. See Viewing logs. | ||
View ELAM detections | You can view early launch anti-malware detections in the Risk log. When Symantec Endpoint Protection ELAM is configured to report detections of bad or bad critical drivers as unknown to Windows, Symantec Endpoint Protection logs the detections as Log only. By default, Windows ELAM allows unknown drivers to load. See Viewing logs. | ||
Enable or disable ELAM | You might want to disable Symantec Endpoint Protection ELAM to help improve computer performance. See Adjusting the Symantec Endpoint Protection early launch anti-malware (ELAM) options. | ||
Adjust ELAM detection settings if you get false positives | The Symantec Endpoint Protection ELAM settings provide an option to treat bad drivers and bad critical drivers as unknown. Bad critical drivers are the drivers that are identified as malware but are required for computer startup. You might want to select the override option if you get false positive detections that block an important driver. If you block an important driver, you might prevent client computers from starting up.
See Adjusting the Symantec Endpoint Protection early launch anti-malware (ELAM) options. | ||
Run the Power Eraser tool on ELAM detections that Symantec Endpoint Protection cannot remediate | In some cases, an ELAM detection requires the Symantec Power Eraser tool that is part of the Symantec Help tool. See Troubleshooting computer issues with the Symantec Help support tool. |
|
|
Legacy ID
v71631870_v81626096
Article URL http://www.symantec.com/docs/HOWTO81107
Terms of use for this information are found in Legal Notices
Thank you.