EDR-Freeze Technique Exposes Security Vulnerabilities

22 Sep 2025

A recent proof-of-concept named EDR-Freeze has emerged, showcasing a technique that permits attackers to bypass endpoint detection and response (EDR) systems, as well as antivirus solutions, by exploiting the Microsoft Windows Error Reporting (WER) system. Developed by researchers aiming to expose potential vulnerabilities, EDR-Freeze operates in user mode and eliminates the need for flawed kernel drivers. This novel approach places security agents into a state of hibernation, effectively making them inactive.

Exploring the Mechanics of EDR-Freeze

EDR-Freeze leverages WerFaultSecure, a component of WER functioning as a Protected Process Light, alongside the MiniDumpWriteDump API. This API is traditionally used to generate crash dumps by pausing a target process's threads to create a minidump. This process is typically routine, but EDR-Freeze manipulates it to suspend the EDR process itself, ensuring it remains indefinitely frozen.

The method of attack operates through a carefully coordinated race condition, executed via four distinct steps. The sequence begins with spawning WerFaultSecure as a PPL. Next, it is instructed to activate the MiniDumpWriteDump on the target Process ID (PID). Following this, the attacker waits for the target process to be suspended before executing the final step, which involves suspending the WerFaultSecure dumper itself using NtSuspendProcess. As a result, the target process is left in a suspended state that persists indefinitely.

Implications and Potential Countermeasures

During testing on Windows 11 24H2, this method was shown to successfully freeze critical processes such as the Windows Defender, culminating in a significant security concern due to its effectiveness. The underlying issue stems from the design interaction between MiniDumpWriteDump and WerFaultSecure, recognized more as a design flaw rather than a direct vulnerability.

To counteract these weaknesses, several defenses have been proposed. These include vigilant monitoring of WER invocations, particularly those related to sensitive PIDs like LSASS or other security tools. Additionally, mapping activity related to WerFaultSecure to Microsoft Defender Endpoint processes is advised. Collaboration with Microsoft could lead to hardening WER components, restricting suspicious usage patterns, or imposing limitations on allowed parameters.

While the implications are still unfolding, the EDR-Freeze technique has prompted significant conversations about the robustness of endpoint protection measures. As researchers like Zero Salarium contribute to unveiling these issues, it remains crucial for security teams and technology providers to address these inherent vulnerabilities proactively.

Update: 22 Sep 2025

Top charts for Desktop Windows

uTorrent

uTorrent

Latest update uTorrent download for free for Windows PC or Android mobile

5
1032 reviews
6365855
downloads
Zona

Zona

Latest update Zona download for free for Windows PC or Android mobile

4
614 reviews
1262529
downloads
WinRAR

WinRAR

Latest update WinRAR download for free for Windows PC or Android mobile

5
735 reviews
494868
downloads
Minecraft

Minecraft

Latest update Minecraft download for free for Windows PC or Android mobile

5
750 reviews
453317
downloads

News and reviews for Desktop Windows

Pillars of Eternity Introduces New Turn-Based Mode

Pillars of Eternity Introduces New Turn-Based Mode

Obsidian unveils Pillars of Eternity's turn-based mode, launching beta on 2023-11-05. Aims at improved gameplay flexibility.

Read more
Arc Raiders Adds New Social Dynamics in Solo Queue

Arc Raiders Adds New Social Dynamics in Solo Queue

Arc Raiders players find success through communication in solo queue, transforming gameplay with increased cooperation and engagement.

Read more
Critical GDI Flaws Patched in Microsoft Windows

Critical GDI Flaws Patched in Microsoft Windows

Microsoft uncovers and patches critical GDI flaws allowing remote code execution in Windows. Impacts extend to Microsoft Office for Mac and Android.

Read more
Zeekerss Launches 10-Year Text Adventure 'Welcome to the Dark Place'

Zeekerss Launches 10-Year Text Adventure 'Welcome to the Dark Place'

Zeekerss releases 'Welcome to the Dark Place', blending text adventure techniques with bespoke audio for a unique gaming experience.

Read more
Design Director Plans Saints Row Prequel Pitch

Design Director Plans Saints Row Prequel Pitch

Original Saints Row's Chris Stockman explores new prequel pitch focused on early series tone, rejecting VR approach.

Read more
Breach Wizards Levels Up with Community Expansion

Breach Wizards Levels Up with Community Expansion

Tactical Breach Wizards embraces a challenging new level pack. Discounted 40% until 2023-11-09. Includes 'less-than-lethal' pyromancer, Bori.

Read more
Stalker 2 Leaving Game Pass on 2025-11-15

Stalker 2 Leaving Game Pass on 2025-11-15

Stalker 2 and Frostpunk exit Game Pass on 2025-11-15. Subscribers have limited time to play these titles before they're removed.

Read more
New PC Bang Spotted in Pyongyang With Asus ROG Setup

New PC Bang Spotted in Pyongyang With Asus ROG Setup

North Korea's new PC bang has emerged in Pyongyang, featuring Asus ROG gear and AAA games, suggesting limited, elite access.

Read more
Launches: Europa Universalis 5 and Football Manager 26 Expand PC Games Lineup

Launches: Europa Universalis 5 and Football Manager 26 Expand PC Games Lineup

New PC games launched this week include Europa Universalis 5 and Football Manager 26, adding variety to the market with strategy and sports simulators.

Read more
Five New Steam Games Released: Notable Titles for November 2025

Five New Steam Games Released: Notable Titles for November 2025

Explore five new Steam games launched in late October 2025, ranging from narrative adventures to twin-stick shooters and trading simulations.

Read more
All article