Early launch anti-malware definition
Early launch anti-malware (ELAM) is a security feature that protects computers during the boot-up process before most other software starts. It ensures that malware, especially rootkits, does not load before security software has a chance to run.
ELAM is implemented as a driver that starts early, prior to other non-essential drivers and software. This allows it to check the integrity of other drivers and services as they are loaded into memory one by one. If ELAM identifies a driver as malicious, it tries to prevent the driver from loading and stop the malware from executing and gaining a foothold in the system.
See also: memory rootkit, uefi rootkit
History of early launch anti-malware
ELAM was introduced by Microsoft in Windows 8 as part of their enhanced security measures. The necessity of it grew out of the increasing sophistication of malware, especially rootkits, which embed themselves deep within the system and are activated during the boot process. Today, ELAM is a key component in Windows Defender, Microsoft’s integrated antivirus solution, and is also supported by other major antivirus software providers, who integrate their own ELAM drivers into the system to provide early-boot protection.