Endpoint Standard: ELAM (Early Launch AntiMalware) is "disabled" when CB sensor is active
Article ID: 286356
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- Upon running a health attestation check in Workspace one, one of the checks called "Early Launch Anti Malware" (ELAM) is shown as enabled (green checkmark) when CB sensor is on a bypass mode.
- If Carbon Black sensor is active, the ELAM is disabled (an orange warning sign appears)
Environment
- Endpoint Standard: 3.7.0.xxxx
- Carbon Black Cloud: All supported versions
Cause
MS-HAS (Microsoft Health Attestation) tool is checking only for the MS defender ELAM component and not the third-party ELAMs, hence showing it as disabled when the sensor is active.
Resolution
- If cbELAM status is set to "ANTIMALWARE_LIGHT" it proves that there is no issue from Carbon Black.
- Reaching out to Microsoft or VMware Workspace one team are the next steps to investigate this further.
Additional Information
- The level of protection of the sensor can be checked by running the following command in an Administrator Command Prompt
-
sc qprotection cbdefense
- If the protection level shows as ANTIMALWARE LIGHT, that signifies that CB ELAM is enabled and working as designated.
-
Feedback
Yes
No
Powered by
