CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

EDR-Freeze tool suspends security software using Windows WER

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

A new proof-of-concept tool called EDR-Freeze exploits Windows Error Reporting (WER) to suspend security software, including EDR and antivirus tools. The technique, discovered by researcher Zero Salarium, operates from user mode without requiring a vulnerable driver. It leverages legitimate Windows components to indefinitely suspend security processes. The method involves using the WerFaultSecure component and the MiniDumpWriteDump API to suspend all threads in the target process, effectively putting security software into a dormant state. This approach is stealthier and more efficient than traditional BYOVD attacks, which rely on exploiting vulnerable kernel drivers. The tool has been successfully tested on Windows 11 24H2, demonstrating its potential impact on modern systems.

Timeline

  1. 22.09.2025 20:07 πŸ“° 1 articles Β· ⏱ 13h ago

    EDR-Freeze tool suspends security software using Windows WER

    A new proof-of-concept tool called EDR-Freeze has been developed to suspend security software, including EDR and antivirus tools, by exploiting Windows Error Reporting (WER). The technique, discovered by researcher Zero Salarium, operates from user mode without requiring a vulnerable driver. It leverages the WerFaultSecure component and MiniDumpWriteDump API to suspend all threads in the target process, effectively putting security software into a dormant state. The tool has been successfully tested on Windows 11 24H2, demonstrating its potential impact on modern systems. Defending against this method involves monitoring WER for suspicious process identifiers and potentially hardening Windows components against abuse.

    Show sources
    Open in new tab

Information Snippets