Early-launch Anti-malware (elam) And Bitdefender

Does the Bitdefender supports Early-Launch Anti-Malware (ELAM) Technology that is integrated in Windows 8? Where it is documented? I have not seen any information about this on Bitdefender official website.

Comments

  • Hello :)


    Omer, we will talk about ELAM in the first week of December.


    I can't provide you further details right now because the information is not public, but it will be a surprise :)


    Wait for my post please.


    Thank you!

  • I'll be glad to hear about from you in the first week of this December hopefully.

  • Hi Omer :)


    Trust me, you will be the first one to know.


    I will make a post here when the information is public.


    Until then, please read this whitepaper from Microsoft:


    http://msdn.microsoft.com/library/windows/hardware/br259096


    Thank you!

  • Hi Omer :)


    I am back now with that surprise.


    After you finish reading that whitepaper from Microsoft, check out this announcement:


    http://forum.bitdefender.com/index.php?act...f=313&id=54


    Thank you!

  • coolcool1227
    coolcool1227 ✭✭✭
    edited November 2012

    Hi


    Really excellent and awesome features and interface. I like it.


    Now I have some questions about ELAM


    1) How ELAM and Rescue Mode works together in Windows 8?


    2) Do the drivers loaded for malicious drivers detection also used for taking action on the malicious drivers?


    3)


    a} What actions does the Bitdefender can taken by Bitdefender's ELAM drivers?


    b} When will that action taken, during the boot time or later?


    c} Detection and Taking Action will take sometime, will it affect the boot time?


    4) So can I say that now using ELAM technology, Bitdefender can easily tackle complex rootkits, MBR infections, malwares that can reside in the Kernel etc?


    to be Continued ......

  • Hi Omer :)


    Let's see now:


    1. ELAM doesn't have anything is common with Rescue Mode, the last one is Linux based environment.


    2 & 3. The Early Launch Antimalware boot-start driver has classified the drivers as follows:


    Good: The driver has been signed and has not been tampered with.


    Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.


    Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.


    Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.


    No action are required from the user in this step. ELAM is a technology that can determine if a driver is loaded by a rootkit or not.


    4. ELAM has nothing to do with MBR. An unloaded driver will be automatically scanned to determine if it is malicious or not.


    Take care.

  • coolcool1227
    coolcool1227 ✭✭✭
    edited November 2012

    Some more queries


    1) How the driver is signed as malicious or clean?


    2) So how the "Unknown" drivers are handled? There is nothing like Heuristics or Behavioral Blocking of unknown malicious drivers?


    3) What about False +ve detection of driver?


    4) So the ELAM will try to stop loading malicious drivers that are used by Rootkits upon detection, but it can't detect and block Rootkit infections itself?


    5) So its the Signature base detection in ELAM?

  • 6) There are some situations when Bitdefender clean the system upon booting, what about this using ELAM?

  • Hello :)


    Let now answer to those questions:


    1. All valid drivers have a digital signature that is recognized by the operating system.


    2. An unknown driver could be a new version of an existing one.


    3. The product will not delete the driver upon booting process.


    4. We are talking here about detection without signatures, it has nothing to do with the files caught by the engines with our definitions.


    5. Read number 4 for this.


    6. That is just a scheduled malware removal at boot, it has nothing to do with ELAM.


    Take care.

  • Hello :)


    Let now answer to those questions:


    1. All valid drivers have a digital signature that is recognized by the operating system.


    2. An unknown driver could be a new version of an existing one.


    3. The product will not delete the driver upon booting process.


    4. We are talking here about detection without signatures, it has nothing to do with the files caught by the engines with our definitions.


    5. Read number 4 for this.


    6. That is just a scheduled malware removal at boot, it has nothing to do with ELAM.


    Take care.


    2) But isn't it better to name "Modified" driver rather than to name "Unknown"? And what action are taken for Unknown Drivers?


    And another question


    7) What if the malicious driver is detected by Windows ELAM and Bitdefender? Who will have the priority to handle the malicious driver?


    8) What if ELAM detected malicious driver and Bitdefender didn't? Can Bitdefender checks what drivers are detected by ELAM and add their detection for it if it don't have its detection?

  • columbo
    columbo
    edited January 2013

    I too am interested in questions# 7 & 8. Does, or can there be a conflict between Windows ELAM and BD 8, in that the Windows version should be disabled, as shown here: http://forum.bitdefender.com/index.php?s=&...st&p=170569


    Another excellent thread B)

  • I too am interested in questions# 7 & 8. Does, or can there be a conflict between Windows ELAM and BD 8, in that the Windows version should be disabled, as shown here: http://forum.bitdefender.com/index.php?s=&...st&p=170569


    Another excellent thread B)


    "If you are using Windows 8, you want to check if your anti-malware software includes an Early Launch Antimalware boot-start driver. If it doesn’t, all boot-start drivers will be initialized, and you will not be able to take advantage of this new ELAM technology."


    http://www.thewindowsclub.com/earlylaunch-...ology-windows-8

  • 2) But isn't it better to name "Modified" driver rather than to name "Unknown"? And what action are taken for Unknown Drivers?


    And another question


    7) What if the malicious driver is detected by Windows ELAM and Bitdefender? Who will have the priority to handle the malicious driver?


    8) What if ELAM detected malicious driver and Bitdefender didn't? Can Bitdefender checks what drivers are detected by ELAM and add their detection for it if it don't have its detection?


    The following is an excerpt about the Symantec Endpoint Protection ELAM.


    I think it should be the same with the BitDefender ELAM driver.


    ==========================================================


    http://www.symantec.com/business/support/i...81106#v71631013


    Symantec Endpoint Protection provides an ELAM driver that works with the Microsoft ELAM driver to provide protection for the computers in your network when they start up. The settings are supported on Microsoft Windows 8.


    The Symantec Endpoint Protection ELAM driver is a special type of driver that initializes first and inspects other startup drivers for malicious code. When the driver detects a startup driver, it determines whether the driver is good, bad, or unknown. The Symantec Endpoint Protection driver then passes the information to Windows to decide to allow or block the detected driver.


    You cannot create exceptions for individual ELAM detections; however, you can create a global exception to log all bad drivers as unknown. By default, unknown drivers are allowed to load.


    ============================================================

  • columbo
    columbo
    edited January 2013

    Thanks for the link, post #13, indie :)

  • And another question


    7) What if the malicious driver is detected by Windows ELAM and Bitdefender? Who will have the priority to handle the malicious driver?


    8) What if ELAM detected malicious driver and Bitdefender didn't? Can Bitdefender checks what drivers are detected by ELAM and add their detection for it if it don't have its detection?


    The Bitdefender ELAM driver takes control, the original Windows ELAM driver is off. The situation is similar to Windows Firewall and any other firewall - ZoneAlarm or Privatefirewall - interaction.

  • Thanks Indie for providing this great information.