A new proof-of-concept tool named EDR-Freeze has been developed, capable of placing [Endpoint Detection and Response (EDR)](https://cybersecuritynews.com/best-edr-tools/) and antivirus solutions into a suspended ‘coma’ state.According to Zero Salarium, the technique leverages a built-in Windows function, offering a stealthier alternative to the increasingly popular [Bring Your Own Vulnerable Driver (BYOVD)](https://cybersecuritynews.com/hackers-exploiting-checkpoints-driver/) attacks used by threat actors to disable security software.Unlike BYOVD methods, which require introducing a vulnerable driver onto a target system, EDR-Freeze exploits legitimate components of the Windows operating system.This approach avoids the need to install third-party drivers, reducing the risk of system instability and detection. The entire process is executed from user-mode code, making it a subtle and effective way to temporarily neutralize security monitoring.**The MiniDumpWriteDump Exploit**———————————The core of the EDR-Freeze technique lies in the manipulation of the `MiniDumpWriteDump` function. This function, part of the Windows `DbgHelp` library, is designed to create a minidump, a snapshot of a process’s memory for debugging purposes.To ensure a consistent and uncorrupted snapshot, the function suspends all threads within the target process while the dump is created.Ordinarily, this suspension is brief. However, the developer of EDR-Freeze devised a method to prolong this suspended state indefinitely.  *EDR-Freeze Tool*The primary challenges were twofold: extending the very short execution time of the `MiniDumpWriteDump` function and bypassing the Protected Process Light (PPL) security feature that shields EDR and [antivirus](https://cybersecuritynews.com/malware-analysis-tools/) processes from tampering.To overcome PPL protection, the technique utilizes `WerFaultSecure.exe`, a component of the Windows Error Reporting (WER) service. `WerFaultSecure.exe` can run with `WinTCB` level protection, one of the highest privilege levels, allowing it to interact with protected processes.By crafting the correct parameters, `WerFaultSecure.exe` can be instructed to initiate the `MiniDumpWriteDump` function on any target process, including protected EDR and antivirus agents.The final piece of the puzzle is a race-condition attack that turns a momentary suspension into a prolonged freeze. The attack unfolds in a rapid, precise sequence:1. `WerFaultSecure.exe` is launched with parameters directing it to create a memory dump of the target EDR or antivirus process.2. The EDR-Freeze tool continuously monitors the target process.3. The moment the target process enters a suspended state (as `MiniDumpWriteDump` begins its work), the EDR-Freeze tool immediately suspends the `WerFaultSecure.exe` process itself.Because `WerFaultSecure.exe` is now suspended, it can never complete the memory dump operation and, crucially, can never resume the threads of the target EDR process.The result is that the security software is left in a permanent state of suspension, effectively blinded, until the `WerFaultSecure.exe` process is terminated, Zero Salarium [said](https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html).**EDR-Freeze Tool Killing Process**———————————–The developer has released the EDR-Freeze tool to demonstrate this technique. It takes two simple parameters: the Process ID (PID) of the target to be frozen and the duration of the suspension in milliseconds.This allows an attacker to disable [security tools](https://cybersecuritynews.com/iot-security-tools/), perform malicious actions, and then allow the security software to resume normal operations as if nothing had happened.A test on Windows 11 24H2 successfully suspended the `MsMpEng.exe` process of Windows Defender.  EDR-Freeze Tool Kills EDR and AntivirusFor defenders, detecting this technique involves monitoring for unusual executions of `WerFaultSecure.exe`.If the program is observed targeting the PIDs of sensitive processes like `lsass.exe` or EDR agents, it should be treated as a high-priority security alert requiring immediate investigation.**Find this Story Interesting! Follow us on [Google News](https://news.google.com/publications/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&gl=IN&ceid=IN:en), [LinkedIn](https://www.linkedin.com/company/cybersecurity-news/), and [X](https://x.com/cyber_press_org) to Get More Instant Updates**.The post [New EDR-Freeze Tool That Puts EDRs and Antivirus Into A Coma State](https://cybersecuritynews.com/edr-freeze-tool/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 51 – Information
Blog: Cybersecurity News
Process Injection: Process Hollowing
Process Injection
Associated Indicators: