Windows 8 introduces a
new security feature called
Secure Boot, which protects the Windows boot configuration and components, and loads an
Early Launch Anti-malware (ELAM) driver. This driver starts before other boot-start drivers and enables the evaluation of those drivers and helps the Windows kernel decide whether they should be initialized. By being launched first by the kernel, ELAM is ensured that it is launched before any other third-party software. It is therefore able to detect malware in the boot process itself and prevent it from loading or initializing.
Windows Defender takes advantage of Early-Launch Anti-Malware and you therefore see that it no longer loads after the start-up process is complete, but early on during boot process.
Third-party antivirus software too are able to take advantage of the ELAM technology. To do so, they will have to integrate the same Early Launch Anti-Malware (ELAM) capability in their own software. To help security software vendors get started, Microsoft has released a whitepaper that provides information about developing Early Launch Anti-Malware (ELAM) drivers for Windows operating systems. It provides guidelines for anti-malware developers to develop anti-malware drivers that are initialized before other boot-start drivers, and ensure that those subsequent drivers do not contain malware. Several antivirus companies, who have released their updated solutions for Windows 8 already incorporate this technology.
