EDR-Freeze: Windows WER abuse suspends security software
Summary
Hide ▲
Show ▼
A new technique called EDR-Freeze exploits Windows Error Reporting (WER) to suspend endpoint detection and response (EDR) and antivirus software. The method uses the WER framework and MiniDumpWriteDump API to indefinitely suspend security processes from user mode. This technique is stealthier and avoids the need for vulnerable drivers, making it harder to detect and defend against. Security researcher TwoSevenOneThree (Zero Salarium) developed the proof-of-concept tool, demonstrating its effectiveness on Windows 11 24H2. The method leverages legitimate Windows components, making it a design weakness rather than a vulnerability. Defending against EDR-Freeze involves monitoring WER activity and restricting its use to specific processes.
Timeline
-
22.09.2025 20:07 1 articles · 7d ago
EDR-Freeze tool suspends security software using Windows WER
Security researcher TwoSevenOneThree (Zero Salarium) developed a proof-of-concept tool called EDR-Freeze. The tool suspends EDR and antivirus processes indefinitely by exploiting Windows Error Reporting (WER) and MiniDumpWriteDump API. The method operates from user mode, making it stealthier and harder to detect. It was successfully tested on Windows 11 24H2, freezing the Windows Defender process.
Show sources
- New EDR-Freeze tool uses Windows WER to suspend security software — www.bleepingcomputer.com — 22.09.2025 20:07
Information Snippets
-
EDR-Freeze suspends EDR and antivirus processes indefinitely using Windows Error Reporting (WER) and MiniDumpWriteDump API.
First reported: 22.09.2025 20:071 source, 1 articleShow sources
- New EDR-Freeze tool uses Windows WER to suspend security software — www.bleepingcomputer.com — 22.09.2025 20:07
-
The technique operates from user mode, eliminating the need for vulnerable drivers.
First reported: 22.09.2025 20:071 source, 1 articleShow sources
- New EDR-Freeze tool uses Windows WER to suspend security software — www.bleepingcomputer.com — 22.09.2025 20:07
-
EDR-Freeze leverages WerFaultSecure and MiniDumpWriteDump to suspend security processes.
First reported: 22.09.2025 20:071 source, 1 articleShow sources
- New EDR-Freeze tool uses Windows WER to suspend security software — www.bleepingcomputer.com — 22.09.2025 20:07
-
The method was successfully tested on Windows 11 24H2, freezing the Windows Defender process.
First reported: 22.09.2025 20:071 source, 1 articleShow sources
- New EDR-Freeze tool uses Windows WER to suspend security software — www.bleepingcomputer.com — 22.09.2025 20:07
-
Defenses include monitoring WER activity and restricting its use to specific processes.
First reported: 22.09.2025 20:071 source, 1 articleShow sources
- New EDR-Freeze tool uses Windows WER to suspend security software — www.bleepingcomputer.com — 22.09.2025 20:07