Managing early launch anti-malware (ELAM) detections

Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. Malicious software can load as a driver or rootkits might attack before the operating system completely loads and
Symantec Endpoint Protection
starts. Rootkits can sometimes hide themselves from virus and spyware scans. Early launch anti-malware detects these rootkits and bad drivers at startup.
ELAM is only supported on Microsoft Windows 8 or later, and Windows Server 2012 or later.
Symantec Endpoint Protection
provides an ELAM driver that works with the Windows ELAM driver to provide the protection. The Windows ELAM driver must be enabled for the Symantec ELAM driver to have any affect.
You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows documentation for more information.
Managing ELAM detections
Task
Description
View the status of ELAM on your client computers
You can see whether
Symantec Endpoint Protection
ELAM is enabled in the Computer Status log. See:
View ELAM detections
You can view early launch anti-malware detections in the Risk log.
When
Symantec Endpoint Protection
ELAM is configured to report detections of bad or bad critical drivers as unknown to Windows,
Symantec Endpoint Protection
logs the detections as
Log only
. By default, Windows ELAM allows unknown drivers to load.
Enable or disable ELAM
You might want to disable
Symantec Endpoint Protection
ELAM to help improve computer performance. See:
Adjust ELAM detection settings if you get false positives
The
Symantec Endpoint Protection
ELAM settings provide an option to treat bad drivers and bad critical drivers as unknown. Bad critical drivers are the drivers that are identified as malware but are required for computer startup. You might want to select the override option if you get false positive detections that block an important driver. If you block an important driver, you might prevent client computers from starting up.
ELAM does not support a specific exception for an individual driver. The override option applies globally to ELAM detections.
For more information, see:
Run Power Eraser on ELAM detections that
Symantec Endpoint Protection
cannot remediate
In some cases, an ELAM detection requires Power Eraser. In those cases, a message appears in the log suggesting that you run Power Eraser. You can run Power Eraser from the console. Power Eraser is also part of the Symantec Help tool. You should run Power Eraser in rootkit mode. See: