Monday , July 13 2026
EDR-Freeze

EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State

A new proof-of-concept tool named EDR-Freeze has been developed, capable of placing Endpoint Detection and Response (EDR) and antivirus solutions into a suspended “coma” state.

Zero Salarium’s technique uses a built-in Windows feature, providing a stealthy option compared to the rising trend of Bring Your Own Vulnerable Driver (BYOVD) attacks that hackers employ to turn off security software.

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

This method eliminates the need for third-party drivers, lowering the risk of system issues and detection. It operates entirely in user-mode, effectively and discreetly disabling security monitoring.

The MiniDumpWriteDump Exploit:

The EDR-Freeze technique mainly involves manipulating the MiniDumpWriteDump function, which is from the Windows DbgHelp library and is used to create a minidump—a memory snapshot of a process for debugging.

To ensure a consistent and uncorrupted snapshot, the function suspends all threads within the target process while the dump is created.

Ordinarily, this suspension is brief. However, the developer of EDR-Freeze devised a method to prolong this suspended state indefinitely.

EDR-Freeze Tool

The main challenges were extending the quick execution time of the MiniDumpWriteDump function and getting past the Protected Process Light (PPL) security feature that protects EDR and antivirus processes from interference.

To overcome PPL protection, the technique utilizes WerFaultSecure.exe, a component of the Windows Error Reporting (WER) service. WerFaultSecure.exe can run with WinTCB level protection, one of the highest privilege levels, allowing it to interact with protected processes.

WerFaultSecure.exe can be set to run the MiniDumpWriteDump function on any process, even those of protected EDR and antivirus software, by using the right parameters.

A race-condition attack can turn a brief pause into a lasting freeze, occurring in a quick, exact sequence:

  1. WerFaultSecure.exe is launched with parameters directing it to create a memory dump of the target EDR or antivirus process.

2. The EDR-Freeze tool continuously monitors the target process.

3. The moment the target process enters a suspended state (as MiniDumpWriteDump begins its work), the EDR-Freeze tool immediately suspends the WerFaultSecure.exe process itself.

Because WerFaultSecure.exe is now suspended, it can never complete the memory dump operation and, crucially, can never resume the threads of the target EDR process.

Zero Salarium stated that the security software remains permanently suspended and ineffective until the WerFaultSecure.exe process is ended.

EDR-Freeze Tool Killing Process:

The developer released the EDR-Freeze tool to showcase this technique. It requires two parameters: the Process ID (PID) of the target and the suspension duration in milliseconds.

An attacker can disable security tools, carry out harmful actions, and then restore security software to normal as if nothing occurred.

EDR-Freeze Tool Kills EDR and Antivirus

A test on Windows 11 24H2 successfully suspended the MsMpEng.exe process of Windows Defender.

For defenders, detecting this technique involves monitoring for unusual executions of WerFaultSecure.exe.

If the program is observed targeting the PIDs of sensitive processes like lsass.exe or EDR agents, it should be treated as a high-priority security alert requiring immediate investigation.

Source: zerosalarium, cybersecurity news

Check Also

MCP Servers

Thousands of MCP Servers Exposed to File Access and Injection Attacks

Thousands of Model Context Protocol (MCP) servers have serious security flaws like file access issues, …