Managing early launch anti-malware (ELAM) detections
|Article:HOWTO81107|||||Created: 2012-10-24|||||Updated: 2014-09-21|||||Article URL http://www.symantec.com/docs/HOWTO81107|
Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. Malicious software can load as a driver or rootkits might attack before the operating system completely loads and Symantec Endpoint Protection starts. Rootkits can sometimes hide themselves from virus and spyware scans. Early launch anti-malware detects these rootkits and bad drivers at startup.
ELAM is only supported on Microsoft Windows 8 and Windows Server 2012.
Symantec Endpoint Protection provides an ELAM driver that works with the Windows ELAM driver to provide the protection. The Windows ELAM driver must be enabled for the Symantec ELAM driver to have any affect.
You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows documentation for more information.
Table: Managing ELAM detections
View the status of ELAM on your client computers
You can see whether Symantec Endpoint Protection ELAM is enabled in the Computer Status log.
See Viewing logs.
View ELAM detections
You can view early launch anti-malware detections in the Risk log.
When Symantec Endpoint Protection ELAM is configured to report detections of bad or bad critical drivers as unknown to Windows, Symantec Endpoint Protection logs the detections as Log only. By default, Windows ELAM allows unknown drivers to load.
See Viewing logs.
Enable or disable ELAM
You might want to disable Symantec Endpoint Protection ELAM to help improve computer performance.
Adjust ELAM detection settings if you get false positives
The Symantec Endpoint Protection ELAM settings provide an option to treat bad drivers and bad critical drivers as unknown. Bad critical drivers are the drivers that are identified as malware but are required for computer startup. You might want to select the override option if you get false positive detections that block an important driver. If you block an important driver, you might prevent client computers from starting up.
Run Power Eraser on ELAM detections that Symantec Endpoint Protection cannot remediate
In some cases, an ELAM detection requires Power Eraser. In those cases, a message appears in the log suggesting that you run Power Eraser. You can run Power Eraser from the console. Power Eraser is also part of the Symantec Help tool. You should run Power Eraser in rootkit mode.
Article URL http://www.symantec.com/docs/HOWTO81107