Adjusting the
Symantec Endpoint Protection
early launch anti-malware (ELAM) options

Symantec Endpoint Protection
provides an ELAM driver that works with the Microsoft ELAM driver to provide protection for the computers in your network when they start up. The settings are supported as of Microsoft Windows 8 and Windows Server 2012.
The
Symantec Endpoint Protection
ELAM driver is a special type of driver that initializes first and inspects other startup drivers for malicious code. When the driver detects a startup driver, it determines whether the driver is good, bad, or unknown. The
Symantec Endpoint Protection
driver then passes the information to Windows to decide to allow or block the detected driver.
You cannot create exceptions for individual ELAM detections; however, you can create a global exception to log all bad drivers as unknown. By default, unknown drivers are allowed to load.
For some ELAM detections that require remediation, you might be required to run Power Eraser. Power Eraser is part of the Symantec Help tool.
Auto-Protect scans any driver that loads.
  1. To adjust the
    Symantec Endpoint Protection
    ELAM options
  2. In the
    Symantec Endpoint Protection Manager
    console, on the
    Policies
    tab, open a Virus and Spyware Protection policy.
  3. Under
    Protection Technologies
    , select
    Early Launch Anti-Malware Driver
    .
  4. Check or uncheck
    Enable Symantec early launch anti-malware
    .
    The Windows ELAM driver must be enabled for this option to be enabled. You use the Windows Group Policy editor or the registry editor to view and modify the Windows ELAM settings. See your Windows documentation for more information.
  5. If you want to log the detections only, under
    Detection Settings
    , select
    Log the detection as unknown so that Windows allows the driver to load
    .
  6. Click
    OK
    .