ELM.LEN.epi Flagged as Suspected Malware – How to Fix It
With a November 2023 virus definition update, Microsoft Windows Defender has begun flagging one of ELM’s files during Full Scans and Targeted or Custom File Scans. (Quick Scans currently do not seem to pick it up.) However it is important to note that not all files that are flagged by Defender are necessarily malicious.
In this case, the file in question provides the ability for dynamic loading of ELM utilizing a custom extension. In other words this EPI file is technically a DLL. All products released by Fire Mountain Software are code signed for authenticity and security, however code signing does not apply to custom extensions, hence the security alert.
When a Windows Defender scan detects this file, the ELM Agent Service will be stopped.
What is the workaround?
This new virus definition update affects all releases of ELM dating back to March 2017 including: ELM 7.0, ELM 7.5 and ELM 8.0.
For ELM 7.x – the suggested workaround is to allow Defender to clean the system. After this the ELM service will fail to start.
Next go into the Threat History and restore the ELM.LEN.epi file.
Now you can restart the ELM Agent services and they will run as expected.
Future scans will show one item being skipped.
For ELM 8.0 – a new build has just been released. We encourage all 8.0 users to download and update as soon as possible. If that is not feasible, then the workaround described above for versions 7.x will be sufficient until an update can be performed.
Thank you for your patience as sometimes these Microsoft security updates surprise us all and produce very unexpected results!