Early Launch Antimalware drivers must adhere to the following program requirements to be signed by WHQL and loaded by Windows.
Microsoft requires that Early Launch Antimalware vendors be members of the MVI (MVI formerly stood for “Microsoft Virus Initiative” but now is simply the “MVI”). This membership ensures that the vendors are active antimalware community participants with a positive industry reputation.
The membership requirements for the MVI are:
- Must have an AV product in the market and have a malware research capability.
- Must have an NDA in place with Microsoft.
- Must be a member of EICAR or AVPD or have signed and adhere to a code of ethics.
- Must have a positive reputation in the industry. This is determined solely by the MVI management. Requests for MVI membership can be directed to email@example.com.
Each driver must pass the following HCK tests, which are administered by the ISV:
- PERFORMANCE TEST
- CALLBACK LATENCY - Each early launch AM driver is required to return the driver verification callbacks from the kernel within .5ms. This time is measured from when the kernel issues the callback to the driver to the time the driver returns the callback.
- MEMORY ALLOCATION - Each early launch AM driver is required to limit its footprint in memory to 128 KB, for both the driver image as well as its configuration (signature) data.
- UNLOAD BLOCKING - Each early launch AM driver receives a synchronous callback after the last boot driver has been initialized, which indicates that the AM driver will be unloaded. The AM driver can use this as an indication that it needs to do “cleanup” and save any status information that can be used by the runtime AM driver. However, the early launch AM driver must return the callback for the driver to be unloaded and for boot to continue.
- SIGNATURE DATA TEST - Each early launch AM driver must get its malware signature data from a single, well-known location and no other. This allows measurement and protection of that data by Windows. This test ensures that each AM driver only reads its configuration data from the registry hive that is created for that driver.
- BACKUP DRIVER TEST - The early launch AM driver, upon installation, must also install a backup copy of the driver to the backup driver store. This requirement is to help with remediation in the case that the primary driver gets corrupted. This test ensures that for an installed early launch AM driver, there is a corresponding driver in the backup store.
Each driver .sys file must be code signed by Microsoft, using a special certificate indicating that it is an Early Launch AM Driver.
The AM driver must be a single binary (not import any other DLLs).
- The ISV submits the driver package, along with its HCK test results, to the WHQL Portal. A parameter of the submission is an indication that the driver is an early launch driver.
- The WHQL process verifies that the vendor is permitted to submit early launch drivers, and it verifies that the driver has passed its HCK tests.
- The WHQL process creates a code signing catalog for the driver package.
- WHQL returns to the vendor the signed catalog as well as the driver’s binaries signed by a special code signing certificate.
Build date: 11/16/2013