ELAM Logo Test
This manual test is comprised of the following four tests:
Backup Driver Test: The early launch AM driver, upon installation, must install a backup copy of the driver to the backup driver store. This requirement helps with remediation in the case that the primary driver gets corrupted. This test ensures that for an installed early launch AM driver, there is a corresponding driver in the backup store. This test returns a pass if for each installed AM driver, there is a matching driver in the backup store. They are determined to be matching if their signatures match. It returns a fail if there is no matching driver in the backup store. The back-up location is stored at:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch ! BackupPath and initialized to %WINDIR%\ELAMBKUP
MVI Membership Test: Each ISV who submits an ELAM driver to WinQual must be an MVI member. This test requires the submitter to indicate whether they are an MVI member. This test will be audited manually and compared to the MVI membership list to ensure submitters are accurate with their submissions. This test returns a pass if the driver submitter indicates that they are an MVI member. It returns a fail if the submitter indicates that they are not an MVI member.
Performance test:
Callback latency. Each early launch AM driver is required to return the driver verification callbacks from the kernel in a timely manner. This time is measured from when the kernel issues the callback to the driver to the time the driver returns the callback. The callback latency test shall return a pass if each kernel callback is returned in .5 ms or less. It shall return fail if at least one callback exceeds that threshold.
Memory allocation. Each early launch AM driver is required to have a limited footprint in memory, for both the driver image as well as its configuration (signature) data. The memory allocation test shall return a pass if the total size of the driver plus its data in memory is 128KB or less, based on a requirement from the Performance team. It shall return fail if it exceeds that limit.
Unload blocking. Each early launch AM driver will receive a synchronous callback after the last boot driver has been initialized indicating that the AM driver will be unloaded. The AM driver can use this as an indication that it needs to do “cleanup” and save any status information that can be used by the runtime AM driver. However, the early launch AM driver must return the callback for the driver to be unloaded and for boot to continue. This test ensures that the AM driver returns this callback in a timely manner to not block the rest of startup. This time is measured from when the kernel issues the callback to the driver to the time the AM driver returns the callback. The unload blocking test shall return a pass if the unload callback is returned within 0.5 ms. It shall return fail if it exceeds that time.
Signature Data Test: Each early launch AM driver must get its malware signature data from a single, well-known location and no other. This allows measurement and protection of that data by Windows. This test ensures that each AM driver only reads its configuration data from the registry hive that is created for that driver. The test returns a pass if the driver only reads its data from the specified registry hive. The SHA-1 digests of three REG_BINARY registry values under every [AVVendor key] key are recorded:
ELAM\[AVVendor key]\Config
ELAM\[AVVendor key]\Policy
ELAM\[AVVendor key]\Measured
It returns a fail if the driver reads signature data from any other source.
Test details
Associated requirements |
Filter.Driver.EarlyLaunchAntiMalware.BackupDriver Filter.Driver.EarlyLaunchAntiMalware.ELAMSignatureAttributes Filter.Driver.EarlyLaunchAntiMalware.MVIMembership Filter.Driver.EarlyLaunchAntiMalware.Performance Filter.Driver.EarlyLaunchAntiMalware.SignatureData |
Platforms |
Windows 8 (x64) Windows 8 (x86) Windows Server 2012 (x64) Windows 8.1 x64 Windows 8.1 x86 Windows Server 2012 R2 |
Expected run time |
~30 minutes |
Categories |
Certification Functional |
Type |
Manual |
Running the test
Before you run the test, complete the test setup as described in the test requirements: Windows HCK Prerequisites
Troubleshooting
For troubleshooting information, see Troubleshooting the Windows HCK Environment.
This test returns Pass or Fail. To review test details, review the test log from Windows Hardware Certification Kit (Windows HCK) Studio.