As malware continues to evolve, more computer infections are starting to use boot drivers to load rootkits and other types of malware early in the boot process. This makes detecting and removing these types of infections much more difficult. Windows 8 includes a very important security feature called Early Launch Antimalware that allows antivirus programs to scan boot drivers for viruses before they are loaded. If the boot driver that is about to initialize is considered malware the antivirus program can then prevent the malicious driver from loading.
It is possible to customize what type of drivers are allowed to load based on their classification of good, bad, or unknown. This tutorial will explain how to use the Boot-start Driver Initialization Policy to control what driver classifications are allowed to start when when being scanned by an early launch anti-malware program. It will also explain what each classification means and the possible ramifications of selecting some of these classification. If you are using Windows 8 Professional and Enterprise you can use the Group Policy Editor to configure this policy. For Windows 8, you will need to use the Windows Registry to set the classification you would like to use.
Depending on your version of Windows, please select the section below that best suits your needs:
If you have any questions regarding this process, please feel free to ask in the Windows 8 Forum.
To access the Group Policy Editor in Windows 8, you should type Group Policy in the Start Screen and then click on the Settings category. The option for Edit Group Policy should now appear. Click on the Edit Group Policy option and the Group Policy editor will open.
Under Local Computer Policy expand the tree to the following path:
Computer Configuration\Administrative Templates\System\Early Launch Antimalware
When you see Logon select it so that the screen looks like the following:
In the right-hand pane you should see a setting called Boot-start Driver Initialization Policy. Double-click on this setting and its properties screen will open.
To customize the what boot-start drivers can be loaded, click on the Enabled option. When you do that the menu of driver classifications will be enabled as shown below.
This menu will allow you to specify what classification of boot-start drivers you would like an anti-virus program to allow to load. The default setting is Good, unknown, and bad but critical, but you may want to be stricter or more casual depending on your environment. The classifications that you can choose are:
This classification means that only drivers that are signed and have not been modified in any way are allowed to boot. Drivers that are not signed and known malware drivers will not load even if that means Windows may not be able to start.
Good and unknown
This classification will only allow drivers that are signed or ones that have not been detected as malware or classified by the antivirus software's early launch antimalware driver.
Good, unknown, and bad but critical
This is the default classification used by early launch anti-malware protection. This classification will allow good drivers, unknown drivers, and even malicious drivers. These malicious, or malware, drivers will only be allowed to load if Windows would not start without them.
This setting will allow any driver to start regardless of whether its good, bad, or unknown.
Deciding what setting to use can be tricky as you obviously do not want to load a malware driver, but at the same time you do not want to make it so you can't start your computer. This is the reason why the default setting is Good, unknown, and bad but critical as even though you are loading a malware driver, you will be able to boot Windows and clean it. At the same time, you can select the Good and Unknown classification and then if your computer does not boot, you can disable Early launch anti-malware protection via the Windows 8 Startup Settings screen. Disabling early launch anti-malware protection will then allow you to boot Windows and perform a cleanup as well. The last classification, All, should never be selected as it does not protect you from any malicious drivers.
Once you decide what classification you would like to use, click on the Apply button and then press the OK button to close the policy properties screen. You can then close the group policy editor. You now need to reboot your computer to put the policy into effect. Early launch anti-malware protection will now use the classification that you have selected.
If you are not using Windows 8 Professional or Enterprise you will not have access to the Group Policy Editor. Instead you will need to enable this setting through the Windows Registry. This setting can be enabled by creating a REG_DWORD value named DriverLoadPolicy under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch Registry key.
You would then have to assign one of 4 data values to the DriveLoadPolicy value to configure a particular classification. The decimal values that you can choose to assign to the DriverLoadPolicy value are:
|Classification||DWORD Data Value|
|Good and unknown||1|
|Good, unknown, bad but critical||3|
For a description of each of the classifications, please see the previous section. Once you add this Registry value you will need to reboot Windows in order for it to go into effect. Early launch anti-malware protection will now use the classification that you have selected.
A increasingly popular technique for rootkits is to install malicious drivers that start very early in the boot process. Malware launching in this manner makes it very hard to detect or remove infections without using specialized tools and techniques. To combat this, Microsoft has added a new feature to Windows 8 called Early Launch Anti-Malware Protection. This feature allows certified antivirus ...
Windows 8 introduced a new boot loader that decreased the time that it takes Windows 8 to start. Unfortunately, in order to do this Microsoft needed to remove the ability to access the Advanced Boot Options screen when you press the F8 key when Windows starts. This meant that there was no easy and quick way to access Safe Mode anymore by simply pressing the F8 key while Windows starts. Instead in ...
If you are a system administrator, IT professional, or a power user it is common to find yourself using the command prompt to perform administrative tasks in Windows. Whether it be copying files, accessing the Registry, searching for files, or modifying disk partitions, command-line tools can be faster and more powerful than their graphical alternatives. This tutorial will walk you through ...
When you wake up Windows 8 after it has gone to sleep, you will be presented with the lock screen. You will then have to enter your password to start using Windows 8 again. For those who feel that their computer is in a secure environment, this feature can be annoying as it requires a few extra steps to get back to what you are doing. This tutorial will explain how you can disable the requirement ...
A Windows Command Prompt is a screen where you type in commands that you would like to execute. The command prompt is very useful if you want to use batch files, basic scripting, or to perform various administrative tasks. The normal command prompt has one shortcoming and that is that you cannot directly launch programs that require administrative privileges in order to work properly. This is ...