AntiMalware vendors have the uphill task of tackling thousands of malware on a daily basis. One of the top challenges that AntiMalware vendors face is handling early boot malwares. Sophistication of malware has reached such a level that they take control of the system early in the boot process. This is at a stage when the AntiMalware is not even loaded. Once the malware takes control, it overrides the AntiMalware protection. Cleaning the malware from such a system then becomes a big challenge.
After lots of requests and suggestions from AntiMalware vendors to Microsoft, the software giant finally decided to do something about it. Microsoft’s Windows 8 will hit the shelves in October. To tackle such early boot malwares in Windows 8, Microsoft has introduced a feature called Early Launch Anti-Malware (ELAM) driver. The ELAM driver is the first driver that is loaded and initialized by the Windows kernel. Hence it gets a chance to evaluate all the drivers loaded during the boot process. This will give AntiMalware solutions a chance to take control of the situation at a nascent stage. This, along with some other boot-related enhancements, will eventually block the malicious code from hijacking the boot process and compromising the system even before the operating system starts. This move is going to be the most important countermeasure impacting rootkits and malware that load at boot time.
Although this move by Microsoft came a tad bit late where the current threat scenario is concerned, AntiMalware vendors all over the world were delighted with the introduction of ELAM. We at Quick Heal pounced on ELAM and started developing our ELAM based solution to be released with Quick Heal’s 2013 range of products. We studied the ELAM guidelines published by Microsoft and worked on the solution that will make the best use of this opportunity provided by Microsoft. However, our experience with ELAM tells us that even though it’s a good step by Microsoft towards the critical problem, it is not enough to tackle the situation. It still needs a lot of improvements to take it to a level where it can be really useful to handle the most advanced rootkits and boot sector malwares.
Some of the limitations that we observed with Windows 8 ELAM and which make it difficult to fight the malware it targets include checksum-based or path-based detections only or no access to file systems. Looking at the constraints that Microsoft may have in providing ELAM feature, we can understand the limitations of this system. At the same time these issues need to be highlighted and Microsoft needs to work towards overcoming these limitations in their future version. There are many more limitations to this. To know more about all these limitations and enhancements, Mr. Abhijit Kulkarni and Mr. Prakash Jagdale will be presenting a paper titled “Windows 8 ELAM: Too late, too little!” at VB2012 conference in Dallas, USA on 28th September 2012.
Here’s the link to the abstract of the paper:
Here’s the link to the conference programme: