Windows 8 ELAM: too late, too little!

Abhijit P. Kulkarni Quick Heal Technologies
Prakash D. Jagdale Quick Heal Technologies

  download slides (PDF)

Microsoft Windows 8 has introduced a feature called the Early Launch Anti-Malware (ELAM) driver. The ELAM driver starts before other boot-start drivers, as a result of which it can evaluate other boot-start drivers and help the kernel decide whether they should be loaded. According to Microsoft, ELAM provides a way for anti-malware to detect and deal with early boot threats.

Finally Microsoft has granted a wish made by the anti-malware industry a long time ago. But this is too little, too late considering the current threat landscape and the sophisticated techniques employed by malware. Following the Microsoft's guidelines on ELAM and fighting today's rootkit threats is like fighting at the warfront with both hands tied. The paper will discuss the restrictions in ELAM and challenges in making use of it.

Looking at what Microsoft has come up with and the way it expects anti-malware to make use of it, we will have to see whether anti-malware vendors can really make an effective use of it. The paper will discuss the ways of using the ELAM in order to tackle early boot malware.

Going forward, does ELAM has a good future and if so, what needs to be done to make it more effective? The paper will discuss the features that could be added in future versions of ELAM in order to make it really beneficial to anti-malware vendors.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.