Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Detecting malware that starts early in the boot cycle was a challenge before Windows 8. In August 2012, Microsoft Defender Antivirus (MDAV) for Windows 8 or later, and Windows Server 2012 and later incorporated a new feature called the Early Launch Antimalware (ELAM) driver. ELAM combats early boot threats (for example, rootkits or malicious drivers that can hide from detection) by using a Wdboot.sys driver that starts before other boot-start drivers. ELAM enables the evaluation of other drivers, and helps the Windows kernel decide whether those drivers should be initialized.
Where are the ELAM detections logged?
The ELAM detection is logged in the same location as the other Microsoft Defender Antivirus threats, such as Event ID 1006.
How do I keep the MDAV ELAM driver up to date?
The MDAV ELAM driver ships with the monthly "Platform update."
Can the Early Launch Antimalware (ELAM) policy be modified?
ELAM can be modified here:
Computer Configuration > Administrative Templates > System > Early Launch Antimalware
How can I check that the MDAV ELAM driver is loaded?
To earn this Microsoft Applied Skills credential, learners demonstrate the ability to use Microsoft Defender XDR to detect and respond to cyberthreats. Candidates for this credential should be familiar with investigating and gathering evidence about attacks on endpoints. They should also have experience using Microsoft Defender for Endpoint and Kusto Query Language (KQL).