Friendica Social Network

Taggart :donor:

3 days ago • •

Taggart :donor:
3 days ago • •

If you don't use #Crowdstrike, you might be wondering if your EDR could burn you the same way.

Not all EDRs use Early Launch Anti-Malware drivers. To find out if yours does, use a registry editor or explorer (Like the great one in Zimmerman's tools) to check out C:\Windows\System32\config\ELAM. If it has live data in it, then something (listed in the hive) is updating signatures for an ELAM driver. If not, no ELAM drivers are present.

#crowdstrike

in reply to Taggart :donor:

Taggart :donor:

in reply to Taggart :donor: • 3 days ago • •

This image from the Windows article about the boot process helps explain the situation. There are other kernel drivers that EDRs can employ, but ELAM happens first. This is why it is both valuable and a dangerous failure point.

learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process

Windows boot stage diagram.

Secure boot secures UEFI

Trusted boot comprises the OS loader, kernel, system drivers, system files, and the ELAM driver, which is our point here. These two processes are monitored/logged in Measured Boot.

After all this comes 3rd party drivers, userland anti-malware, and Windows sign-in.

Secure the Windows boot process - Windows Security

This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.

^{learn.microsoft.com}

⇧