Problem solve Get help with specific problems with your technologies, process and projects.

Utilize Windows 8 ELAM to secure the boot process, detect rootkits

Expert Michael Cobb details how the Windows 8 ELAM feature can detect rootkits and other malicious drivers, help secure the Windows boot process.

Can you describe how Microsoft's new Windows 8 ELAM mechanism works? Should our security team consider it a legitimate reason to push for Windows 8 adoption in our organization?

In recent years, attackers have attempted to thwart anti-malware software by creating malicious drivers and rootkits, which load themselves when a machine is first switched on so that they are already running before any anti-malware or antivirus (AV) software has had a chance to start. This enables the malicious program to hide itself from detection or even prevent AV drivers from loading, leaving the machine at the mercy of the attacker. Up until the launch of Windows 8, there has been no easy and stable way for AV vendors to detect and resolve these rootkits and other early boot threats.

To combat this problem and help secure the boot process, Windows 8 and Windows Server 2012 include a new feature called Early Launch Anti-Malware (ELAM), which is the first software driver to be loaded into the Windows 8 operating system (OS). As it is initialized before any other boot-start drivers and third-party components, it can evaluate subsequent drivers before they are loaded. ELAM prevents a driver from loading or initializing if the driver has been altered, is unknown or contains malware.

A system administrator can view and modify the associated boot-start driver initialization policy using Group Policy editor. By default, the policy initializes known good and unknown drivers, but will not initialize known bad drivers. If an enterprise needs to run legacy drivers, the policy can be updated so that the ELAM driver knows which other drivers are critical to a particular boot process.

Windows Defender, Microsoft's pre-installed AV program, takes advantage of the ELAM technology, and other antivirus vendors are integrating ELAM's capabilities into their own software. ELAM drivers must pass a set of certification tests to verify performance and other behavior, after which Microsoft signs them so that the Windows kernel can start them. Only vendors who are active in the anti-malware community and are members of the MVI (formerly Microsoft Virus Initiative) can participate in the Microsoft Anti-malware Vendor Participation Program and apply to have their drivers signed.

ELAM is part of Microsoft's new Secure Boot feature, which is designed to block malicious code from hijacking the Windows 8 boot process and compromising a machine before the OS even starts. Secure Boot takes advantage of the Unified Extensible Firmware Interface (UEFI), which is a replacement for the aging BIOS (Basic Input/Output System) firmware interface. UEFI works quite differently from traditional BIOS and has a firmware policy engine that is in charge of loading the OS loader and all necessary drivers. Secure Boot ensures UEFI loads only firmware that has been signed with an acceptable digital signature. This security check prevents an unsigned boot loader, such as a bootkit, from loading. ELAM then ensures that only known, digitally signed anti-malware programs can load right after Secure Boot finishes. These and other security enhancements in Windows 8 and Windows Server 2012 provide strong incentives for early adoption.

This was last published in March 2013

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.