Redazione RHC : 23 September 2025 15:13
A Zero Salarium specialist has presented a method that temporarily disables antivirus processes and EDR agents on Windows using built-in system tools.
The article details the concept and operational tool, EDR-Freeze , a way to specifically kill monitoring processes without installing additional vulnerable drivers , based on the behavior of native operating system components and race conditions between processes.
The trick is that MiniDumpWriteDump forcibly suspends all threads of the target process while taking a snapshot, and the associated process that triggered the dump is responsible for resuming it. The research demonstrates how to force WerFaultSecure to run with protected process privileges ( PPL ) at the WinTCB level and initiate a dump of the desired PID .
WerFaultSecure then suspends itself at a critical moment. As a result, the target process remains in a “comatose state” because the initiator, which could have unlocked it, is also blocked.
To illustrate this approach , the author uses CreateProcessAsPPL , the WerFaultSecure startup parameters, checking the process state, and calling NtSuspendProcess on the initiator process at the appropriate time. The mechanism itself requires no third-party driver exploits and runs in user mode, making it convenient for quick testing and escalating monitoring bypass capabilities.
The article describes the EDR-Freeze tool with a GitHub repository and runtime examples: the utility takes the target program’s PID and the pause time in milliseconds, then executes the described steps and keeps the antivirus process suspended. The demonstration shows that MsMpEng.exe (a Windows Defender service) on Windows 11 24H2 was successfully suspended for a specified period of time, and its status was monitored via Process Explorer. The author emphasizes that this technique serves as an alternative to BYOVD approaches and eliminates the need to transfer vulnerable drivers to the test computer.
The specialist recommends monitoring WerFaultSecure for anomalous boot parameters: if its arguments point to the PIDs of sensitive services (LSASS, antivirus processes, or EDR agents) , it’s worth investigating. Additionally, protection requires mechanisms to check the boot chains of protected processes and check for unusual sequences when creating dumps.
Redazione