A new method dubbed “EDR-Freeze” is leveraging Microsoft’s Windows Error Reporting (WER) system to disable antivirus and Endpoint Detection and Response (EDR) tools without requiring kernel-level access or vulnerable drivers.
Developed by security researcher TwoSevenOneThree of Zero Salarium, the technique exploits legitimate Windows components to force EDR and antivirus processes into a suspended or ‘coma’ state, effectively neutralizing the protection capabilities.
Unlike traditional Bring Your Own Vulnerable Driver (BYOVD) attacks, which require smuggling in and executing a vulnerable kernel driver, EDR-Freeze operates entirely in user mode. It requires no privilege escalation and leaves fewer forensic traces, since it leverages native Windows APIs and components present by default on all systems.
The attack exploits the interaction between two Windows features: WerFaultSecure (a Protected Process Light (PPL) component of Windows Error Reporting, designed to collect memory dumps from secure processes) and MiniDumpWriteDump, an API that suspends a target process while it writes a memory snapshot.
By triggering a race condition, the attacker launches WerFaultSecure to begin dumping a target security process, then suspends WerFaultSecure itself mid-operation. This causes the target process (e.g., Windows Defender) to remain indefinitely suspended, effectively disabling it without termination. The process involves four key steps:
-
Launch WerFaultSecure with PPL privileges.
-
Trigger it to dump a sensitive process like Defender or LSASS.
-
Monitor the target until it enters a suspended state.
-
Suspend WerFaultSecure to prevent the dump operation from completing.
This leaves the security process frozen, unable to resume normal function, without crashing or alerting the system.
To prevent exploitation, organizations are advised to monitor WER activity, particularly if WerFaultSecure attempts to dump high-value processes like LSASS or known security tools.