Adjusting the Symantec Endpoint Protection early launch anti-malware (ELAM) options
Symantec Endpoint Protectionearly launch anti-malware (ELAM) options
Symantec Endpoint Protectionprovides an ELAM driver that works with the Microsoft ELAM driver to provide protection for the computers in your network when they start up. The settings are supported as of Microsoft Windows 8 and Windows Server 2012.
Symantec Endpoint ProtectionELAM driver is a special type of driver that initializes first and inspects other startup drivers for malicious code. When the driver detects a startup driver, it determines whether the driver is good, bad, or unknown. The
Symantec Endpoint Protectiondriver then passes the information to Windows to decide to allow or block the detected driver.
You cannot create exceptions for individual ELAM detections; however, you can create a global exception to log all bad drivers as unknown. By default, unknown drivers are allowed to load.
For some ELAM detections that require remediation, you might be required to run Power Eraser. Power Eraser is part of the Symantec Help tool.
Auto-Protect scans any driver that loads.
- To adjust theSymantec Endpoint ProtectionELAM options
- In theSymantec Endpoint Protection Managerconsole, on thePoliciestab, open a Virus and Spyware Protection policy.
- UnderProtection Technologies, selectEarly Launch Anti-Malware Driver.
- Check or uncheckEnable Symantec early launch anti-malware.The Windows ELAM driver must be enabled for this option to be enabled. You use the Windows Group Policy editor or the registry editor to view and modify the Windows ELAM settings. See your Windows documentation for more information.
- If you want to log the detections only, underDetection Settings, selectLog the detection as unknown so that Windows allows the driver to load.