Halcyon. Posted January 27, 2016 Share Posted January 27, 2016 As malware continues to evolve, more computer infections are starting to use boot drivers to load rootkits and other types of malware early in the boot process. This makes detecting and removing these types of infections much more difficult. Windows 8 includes a very important security feature called Early Launch Antimalware that allows antivirus programs to scan boot drivers for viruses before they are loaded. If the boot driver that is about to initialize is considered malware the antivirus program can then prevent the malicious driver from loading. It is possible to customize what type of drivers are allowed to load based on their classification of good, bad, or unknown. This tutorial will explain how to use the Boot-start Driver Initialization Policy to control what driver classifications are allowed to start when when being scanned by an early launch anti-malware program. It will also explain what each classification means and the possible ramifications of selecting some of these classification. If you are using Windows 8 Professional and Enterprise you can use the Group Policy Editor to configure this policy. For Windows 8, you will need to use the Windows Registry to set the classification you would like to use. Depending on your version of Windows, please select the section below that best suits your needs: Configure Early Launch Anti-malware Protection with the Group Policy Editor To access the Group Policy Editor in Windows 8, you should type Group Policy in the Start Screen and then click on the Settings category. The option for Edit Group Policy should now appear. Click on the Edit Group Policy option and the Group Policy editor will open. Note: If you are not using Windows 8 Professional or Enterprise you will not have access to the group policy editor. Instead you should follow the instructions here. Under Local Computer Policy expand the tree to the following path: Computer Configuration\Administrative Templates\System\Early Launch Antimalware When you see Logon select it so that the screen looks like the following: In the right-hand pane you should see a setting called Boot-start Driver Initialization Policy. Double-click on this setting and its properties screen will open. To customize the what boot-start drivers can be loaded, click on the Enabled option. When you do that the menu of driver classifications will be enabled as shown below. This menu will allow you to specify what classification of boot-start drivers you would like an anti-virus program to allow to load. The default setting is Good, unknown, and bad but critical, but you may want to be stricter or more casual depending on your environment. The classifications that you can choose are: Good only This classification means that only drivers that are signed and have not been modified in any way are allowed to boot. Drivers that are not signed and known malware drivers will not load even if that means Windows may not be able to start. Good and unknown This classification will only allow drivers that are signed or ones that have not been detected as malware or classified by the antivirus software's early launch antimalware driver. Good, unknown, and bad but critical This is the default classification used by early launch anti-malware protection. This classification will allow good drivers, unknown drivers, and even malicious drivers. These malicious, or malware, drivers will only be allowed to load if Windows would not start without them. All This setting will allow any driver to start regardless of whether its good, bad, or unknown. Deciding what setting to use can be tricky as you obviously do not want to load a malware driver, but at the same time you do not want to make it so you can't start your computer. This is the reason why the default setting is Good, unknown, and bad but critical as even though you are loading a malware driver, you will be able to boot Windows and clean it. At the same time, you can select the Good and Unknown classification and then if your computer does not boot, you can disable Early launch anti-malware protection via the Windows 8 Startup Settings screen. Disabling early launch anti-malware protection will then allow you to boot Windows and perform a cleanup as well. The last classification, All, should never be selected as it does not protect you from any malicious drivers. Once you decide what classification you would like to use, click on the Apply button and then press the OK button to close the policy properties screen. You can then close the group policy editor. You now need to reboot your computer to put the policy into effect. Early launch anti-malware protection will now use the classification that you have selected. Configuring Early Launch Anti-Malware Protection via the Registry If you are not using Windows 8 Professional or Enterprise you will not have access to the Group Policy Editor. Instead you will need to enable this setting through the Windows Registry. This setting can be enabled by creating a REG_DWORD value named DriverLoadPolicy under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch Registry key. You would then have to assign one of 4 data values to the DriveLoadPolicy value to configure a particular classification. The decimal values that you can choose to assign to the DriverLoadPolicy value are: Classification DWORD Data Value Good Only 8 Good and unknown 1 Good, unknown, bad but critical 3 All 7 For a description of each of the classifications, please see the previous section. Once you add this Registry value you will need to reboot Windows in order for it to go into effect. Early launch anti-malware protection will now use the classification that you have selected. Link to comment Share on other sites More sharing options...
Recommended Posts