Will Windows 8 “ELAM” be the David for “Malware” Goliath?

AntiMalware vendors have the uphill task of tackling thousands of malware on a daily basis. One of the top challenges that AntiMalware vendors face is handling early boot malwares. Sophistication of malware has reached such a level that they take control of the system early in the boot process. This is at a stage when the AntiMalware is not even loaded. Once the malware takes control, it overrides the AntiMalware protection. Cleaning the malware from such a system then becomes a big challenge.

After lots of requests and suggestions from AntiMalware vendors to Microsoft, the software giant finally decided to do something about it. Microsoft’s Windows 8 will hit the shelves in October. To tackle such early boot malwares in Windows 8, Microsoft has introduced a feature called Early Launch Anti-Malware (ELAM) driver. The ELAM driver is the first driver that is loaded and initialized by the Windows kernel. Hence it gets a chance to evaluate all the drivers loaded during the boot process. This will give AntiMalware solutions a chance to take control of the situation at a nascent stage. This, along with some other boot-related enhancements, will eventually block the malicious code from hijacking the boot process and compromising the system even before the operating system starts. This move is going to be the most important countermeasure impacting rootkits and malware that load at boot time.

Although this move by Microsoft came a tad bit late where the current threat scenario is concerned, AntiMalware vendors all over the world were delighted with the introduction of ELAM. We at Quick Heal pounced on ELAM and started developing our ELAM based solution to be released with Quick Heal’s 2013 range of products. We studied the ELAM guidelines published by Microsoft and worked on the solution that will make the best use of this opportunity provided by Microsoft. However, our experience with ELAM tells us that even though it’s a good step by Microsoft towards the critical problem, it is not enough to tackle the situation. It still needs a lot of improvements to take it to a level where it can be really useful to handle the most advanced rootkits and boot sector malwares.

Some of the limitations that we observed with Windows 8 ELAM and which make it difficult to fight the malware it targets include checksum-based or path-based detections only or no access to file systems. Looking at the constraints that Microsoft may have in providing ELAM feature, we can understand the limitations of this system. At the same time these issues need to be highlighted and Microsoft needs to work towards overcoming these limitations in their future version. There are many more limitations to this. To know more about all these limitations and enhancements, Mr. Abhijit Kulkarni and Mr. Prakash Jagdale will be presenting a paper titled “Windows 8 ELAM: Too late, too little!” at VB2012 conference in Dallas, USA on 28th September 2012.

Here’s the link to the abstract of the paper:

Here’s the link to the conference programme:

Rahul Thadani

Rahul Thadani


Your email address will not be published.


  1. Thanks rahul for the important information of ELAM with Windows8

  2. Avatar Onil S SonawaniSeptember 27, 2012 at 10:50 AM


    Windows 8 introduces a new feature called Secure Boot, which protects the Windows boot configuration and components, and loads an Early Launch Anti-malware (ELAM) driver. This driver starts before other boot-start drivers and enables the evaluation of those drivers and helps the Windows kernel decide whether they should be initialized.

    Now pre-approved antimalware software always gets loaded ahead of the malicious programs, which improves the chances of detection and removal.

    Early Launch Antimalware Whitepaper can be accessed from below link.


  3. Thanx Mr.Rahul for the proper info of new technique ELAM developed by Microsoft.