The status for driver eelam (eelam) remains Stopped

[m.gospodinov 1]

Hello. I recently noticed something strange on several of our servers. In event viewer there's the following entry : "The status for driver eelam (eelam) remains Stopped. Additional Driver Information:

Startup type:    Automatic
Executable:    \SystemRoot\system32\DRIVERS\eelam.sys". The file itself is where it should be. There is also a registry path HKLM\SYSTEM\CurrentControlSet\Services\eelam but no "eelam" service in "services.msc". When I try to change the startup type in the registry, I get an error, so I suppose it's some kind of ESET defence. So why is this service not listed where the other services are? Why it's set to start automatically but it doesn't actually start? Server is 2012R2 (with updates) and File security is 7.0.12018.0.

[Marcos 5,070]

That is correct. This driver should remain in the stopped state.

[m.gospodinov 1]

On 5/2/2019 at 10:22 AM, Marcos said:

That is correct. This driver should remain in the stopped state.

Good, I figured a way to remove this driver from the server monitoring software so it no longer shouts about this being an error. Thanks!

p.s. Just curious, what does it do?

Edited May 3, 2019 by m.gospodinov

[itman 1,659]

6 hours ago, m.gospodinov said:

p.s. Just curious, what does it do?

The Eset ELAM driver is Eset's version of the default ELAM driver used by Windows Defender in Win 10. The acronym stands for "Early Launch Anti-malware." 

It's purpose it to load itself prior to any non-device kernel mode drivers loading so that it can inspect any malicious activities originating from those app drivers. Once boot and driver load processing is completed, the ELAM driver auto unloads itself since it is no longer needed. Hence the reason why the service associated with the driver always shows a stopped status.

Also as far as I am aware of, the Server 2012 OS does not use the ELAM driver; only Win 10 and possibly the latest Server OS vers.. Therefore, it should always remain in the stopped status as far as its applicable service status is concerned. Note: the ELAM driver interfaces with an OS kernel component. As far as I am aware of, that component is only present on Win 10 and again, possibly the latest Win Server OS release.

-EDIT- Correction. ELAM driver is indeed used on WIN 8 and Server 2012. Ref.: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware

Here's an article with a detailed explanation on how the ELAM driver works: https://blogs.technet.microsoft.com/dubaisec/2016/05/09/elam-driver/

Edited May 3, 2019 by itman