EDR-Freeze Archives

Tech Optimizer

October 11, 2025

Hackers Can Inject Malicious Code into Antivirus Processes to Create a Backdoor

A new cybersecurity technique allows attackers to exploit antivirus software by injecting malicious code into its processes, evading detection and compromising security. The method involves cloning protected services and hijacking cryptographic providers to create a backdoor in the antivirus installation folder. This technique takes advantage of antivirus solutions' reliance on operating system features and less-guarded auxiliary components. By exporting and importing registry keys, attackers can create a duplicate service that retains the original's configurations, allowing for the injection of malicious DLLs during service startup. An open-source tool named IAmAntimalware automates this process, successfully demonstrating the technique with various antivirus programs. To mitigate these threats, monitoring of module loads, auditing trusted certificates, and enforcing security features are recommended.

Tech Optimizer

September 24, 2025

EDR Bypass Technique Puts Antivirus Tools To Sleep

Endpoint detection and response (EDR) systems and antivirus protections are increasingly targeted by threat actors using sophisticated techniques. A new method called EDR-Freeze has been introduced, which utilizes Windows Error Reporting and the MiniDumpWriteDump function to hibernate antivirus processes without needing to install vulnerable drivers. This technique operates entirely in user mode and was disclosed by an anonymous researcher known as Two One Seven Three on Zero Salarium. The MiniDumpWriteDump function can suspend all threads within a target process during the dump process, which is crucial to avoid memory corruption. The researcher faced challenges with the rapid execution of MiniDumpWriteDump and the security measures protecting EDR and antivirus processes. By reverse-engineering the WerFaultSecure program, the researcher enabled MiniDumpWriteDump for any chosen process and integrated it with the CreateProcessAsPPL tool to bypass Protected Process Light (PPL) protections. The researcher proposed a race condition attack consisting of four steps: executing WerFaultSecure with WinTCB-level protection, configuring it to dump the target process, monitoring the target process until it is suspended, and then suspending the WerFaultSecure process. A tool to execute this exploit is available on GitHub, and another researcher has developed a KQL rule for its detection. The EDR-Freeze technique exploits a vulnerability in the WerFaultSecure program, addressing the weaknesses of the BYOVD method and allowing flexible control over EDR and antivirus programs.

Winsage

September 24, 2025

EDR-Freeze Arrives! It Puts Windows into a Deep Coma Without Vulnerable Drivers

A Zero Salarium specialist has developed a method called EDR-Freeze that temporarily disables antivirus processes and EDR agents on Windows systems. This technique utilizes built-in system tools and exploits race conditions between processes, specifically using MiniDumpWriteDump to suspend target processes while capturing snapshots. The method operates without third-party driver exploits and functions in user mode. The EDR-Freeze tool is available on GitHub and requires the target program's PID and a pause time in milliseconds to keep the antivirus process suspended. A demonstration showed that the Windows Defender service (MsMpEng.exe) was successfully suspended. The specialist warns to monitor WerFaultSecure for unusual boot parameters related to sensitive services and recommends implementing robust protection mechanisms to verify boot chains of protected processes.

Winsage

September 22, 2025

New EDR-Freeze tool uses Windows WER to suspend security software

A new technique called EDR-Freeze allows evasion of security solutions through Microsoft's Windows Error Reporting (WER) system, enabling attackers to suspend endpoint detection and response (EDR) tools without relying on vulnerable drivers. Security researcher TwoSevenOneThree utilized the WER framework and the MiniDumpWriteDump API to indefinitely suspend EDR and antivirus processes by exploiting the WerFaultSecure component, which operates with Protected Process Light (PPL) privileges. The method involves spawning WerFaultSecure, invoking MiniDumpWriteDump on the target process, monitoring the target until it is suspended, and then freezing the dumper. A tool has been developed to automate this process, successfully tested on Windows 11 24H2, which froze the Windows Defender process. To mitigate this attack, monitoring WER for identifiers linked to sensitive processes is recommended, and security researcher Steven Lim has created a tool to map WerFaultSecure to Microsoft Defender Endpoint processes. Microsoft has the opportunity to enhance these components against misuse by implementing restrictions on suspicious invocations.

Tech Optimizer

September 22, 2025

Hackers Deploy New EDR-Freeze Tool to Disable Security Software

A security researcher has developed a tool called EDR-Freeze that allows for the temporary disabling of endpoint detection and response (EDR) systems and antivirus software without using vulnerable drivers. EDR-Freeze exploits the Windows Error Reporting functionality to execute a race condition attack that suspends security processes, specifically targeting the WerFaultSecure.exe process. The tool can successfully suspend the MsMpEng.exe process of Windows Defender on Windows 11 24H2. It operates entirely within user-mode and uses legitimate Windows components, making detection more difficult for security teams. The source code for EDR-Freeze is publicly available on GitHub, intended for legitimate security research, but poses risks of misuse by malicious actors. Security teams are advised to monitor for suspicious activity related to WerFaultSecure.exe and to enhance their process protection mechanisms.

Tech Optimizer

September 21, 2025

New EDR-Freeze Tool That Puts EDRs and Antivirus Into A Coma State

EDR-Freeze is a proof-of-concept tool developed by Zero Salarium that can place Endpoint Detection and Response (EDR) and antivirus solutions into a suspended state. It utilizes the MiniDumpWriteDump function from the Windows DbgHelp library to achieve this by extending the suspension of target processes. The tool circumvents the Protected Process Light (PPL) security feature using WerFaultSecure.exe, which operates at a high privilege level. By launching WerFaultSecure.exe with specific parameters, EDR-Freeze can monitor and suspend it, preventing the target EDR or antivirus process from resuming. A test on Windows 11 24H2 successfully suspended the MsMpEng.exe process of Windows Defender. Detecting this technique involves monitoring for unusual executions of WerFaultSecure.exe targeting sensitive process IDs.