This section provides information about developing Early Launch Antimalware (ELAM) drivers for Windows operating systems. It provides guidelines for antimalware developers to develop drivers that are initialized before other boot-start drivers, and that ensure that subsequent drivers do not contain malware. It assumes that the reader is familiar with developing kernel-mode drivers, specifically boot-start drivers.
This information applies to the following operating systems:
The following topics describe the interface requirements for Early Launch Antimalware (ELAM) drivers. They are intended to provide information about ELAM driver interfaces. The ELAM feature provides a Microsoft-supported mechanism for antimalware (AM) software to start before other third-party components. AM drivers are initialized first and allowed to control the initialization of subsequent boot drivers, potentially not initializing unknown boot drivers. Once the boot process has initialized boot drivers and access to persistent storage is available in an efficient way, existing AM software may continue to block malware from executing.
Note
Because an ELAM service runs as a PPL (Protected Process Light), you need to debug using a kernel debugger.
See alsoProtecting Anti-Malware Services.
Additional resources Additional resources In this articleRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3