Managing early launch anti-malware (ELAM) detections

Article:HOWTO81107  |  Created: 2012-10-24  |  Updated: 2013-10-07  |  Article URL http://www.symantec.com/docs/HOWTO81107
Article Type
How To


Subject


Managing early launch anti-malware (ELAM) detections

Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. Malicious software can load as a driver or rootkits might attack before the operating system completely loads and Symantec Endpoint Protection starts. Rootkits can sometimes hide themselves from virus and spyware scans. Early launch anti-malware detects these rootkits and bad drivers at startup.

Symantec Endpoint Protection provides an ELAM driver that works with the Windows ELAM driver to provide the protection. The Windows ELAM driver must be enabled for the Symantec ELAM driver to have any affect.

You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows 8 documentation for more information.

Table: Managing ELAM detections

Task

Description

View the status of ELAM on your client computers

You can see whether Symantec Endpoint Protection ELAM is enabled in the Computer Status log.

See Viewing logs.

View ELAM detections

You can view early launch anti-malware detections in the Risk log.

When Symantec Endpoint Protection ELAM is configured to report detections of bad or bad critical drivers as unknown to Windows, Symantec Endpoint Protection logs the detections as Log only. By default, Windows ELAM allows unknown drivers to load.

See Viewing logs.

Enable or disable ELAM

You might want to disable Symantec Endpoint Protection ELAM to help improve computer performance.

See Adjusting the Symantec Endpoint Protection early launch anti-malware (ELAM) options.

See Adjusting scans to improve computer performance.

Adjust ELAM detection settings if you get false positives

The Symantec Endpoint Protection ELAM settings provide an option to treat bad drivers and bad critical drivers as unknown. Bad critical drivers are the drivers that are identified as malware but are required for computer startup. You might want to select the override option if you get false positive detections that block an important driver. If you block an important driver, you might prevent client computers from starting up.

Note:

ELAM does not support a specific exception for an individual driver. The override option applies globally to ELAM detections.

See Adjusting the Symantec Endpoint Protection early launch anti-malware (ELAM) options.

Run the Power Eraser tool on ELAM detections that Symantec Endpoint Protection cannot remediate

In some cases, an ELAM detection requires the Symantec Power Eraser tool that is part of the Symantec Help tool.

See Troubleshooting computer issues with the Symantec Help support tool.


Legacy ID



v71631870_v81626096


Article URL http://www.symantec.com/docs/HOWTO81107


Terms of use for this information are found in Legal Notices