New EDR-Freeze Tool Puts Security Software Into Hibernation

The tool exploits the MiniDumpWriteDump function, a legitimate Windows debugging feature designed to create memory snapshots of processes. During normal operation, this function briefly suspends all threads in a target process to ensure data consistency while creating the snapshot.

EDR-Freeze weaponizes this legitimate functionality through several key techniques:

• Windows Error Reporting Exploitation: The tool uses WerFaultSecure.exe, a component of Windows Error Reporting, which can run with WinTCB protection levels – one of the highest privilege tiers in Windows
• Protected Process Light Bypass: By leveraging WerFaultSecure.exe’s elevated privileges, the tool can interact with protected EDR and antivirus processes that would normally be shielded from tampering
• Race Condition Attack: The tool creates a race condition where it suspends the WerFaultSecure.exe process at the precise moment when the target security software is already suspended, leaving the security tools in permanent hibernation
• Indefinite Suspension: Since WerFaultSecure.exe cannot complete its dump operation while suspended, the target security software remains frozen until the attacking process is terminated

The entire process operates from user-mode code without requiring any third-party drivers or vulnerable components. This approach significantly reduces the risk of detection and system instability compared to traditional BYOVD methods.

(EDR-Freeze Tool Kills EDR and Antivirus – Source: Zero Salarium)

 Target Impact and Business Risk

The EDR-Freeze tool poses particular risks to organizations that rely heavily on endpoint security solutions for protection. When security software is suspended, businesses face several critical vulnerabilities:

• Complete Security Blindness: Attackers can execute malicious payloads, steal sensitive data, or establish persistent access while security monitoring remains completely offline
• Invisible Attack Window: The suspended state appears normal to system administrators, making detection extremely difficult without specialized monitoring capabilities
• Managed IT Gaps: Organizations using managed IT support may not immediately realize their protection has been compromised, creating extended exposure periods
• Cross-Platform Impact: Testing on Windows 11 24H2 successfully demonstrated effectiveness against Windows Defender, with implications extending to commercial EDR solutions across various vendors
• Enterprise Vulnerability: The attack potentially affects enterprise antivirus products and sophisticated security suites, not just basic protection software

The EDR-Freeze technique represents a significant escalation in bypass capabilities, requiring businesses to fundamentally reconsider their cybersecurity strategies and monitoring approaches.

(Setting the Parameters (left) and Suspending Windows Defender (right) – Source: Zero Salarium)

 Detection and Mitigation Strategies

Security professionals have quickly responded to this threat by developing detection methods focused on monitoring WerFaultSecure.exe behavior. Organizations need comprehensive approaches to identify and counter EDR-Freeze attacks before they succeed.

Effective detection and mitigation strategies include:

• WerFaultSecure.exe Monitoring: Implement continuous monitoring for unusual executions of WerFaultSecure.exe, particularly when targeting sensitive process IDs like lsass.exe or known EDR agents
• Baseline Behavior Analysis: Establish normal operational patterns for Windows Error Reporting components and flag significant deviations as high-priority security alerts
• Layered Security Architecture: Deploy multiple security layers that don’t rely solely on endpoint protection, ensuring continued threat detection even when primary defenses are compromised
• Advanced Threat Hunting: Include monitoring for processes that interact with security software PIDs and examine relationships between WerFaultSecure.exe executions and security process states
• Managed Services Provider Integration: Partner with cybersecurity near me specialists who can implement sophisticated monitoring capabilities and 24/7 threat detection

These detection methods require specialized expertise and continuous monitoring capabilities that extend beyond typical in-house IT resources.

 How CinchOps Can Help

As your trusted managed services provider, CinchOps understands the evolving threat environment facing Houston businesses. Our comprehensive cybersecurity approach provides multiple layers of protection that extend far beyond traditional endpoint security.

Our managed IT Houston services include:

• Advanced Threat Detection Systems: Monitor for suspicious process behaviors, including specific indicators associated with EDR-Freeze attacks and similar evasion techniques
• Comprehensive Logging and Monitoring: Establish detailed system-level activity tracking across your entire network infrastructure with 24/7 surveillance capabilities
• Behavioral Analysis Implementation: Deploy network security tools that identify race condition attacks and other sophisticated bypass methods before they succeed
• Integrated Security Architecture: Configure VOIP and SD-WAN implementations with built-in security monitoring that provides additional visibility into potential threats
• Proactive Response Protocols: Maintain rapid incident response capabilities that address emerging threats while ensuring business operations remain uninterrupted

CinchOps delivers proactive cybersecurity management that keeps pace with emerging threats while ensuring your business operations remain secure and productive.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: The 2025 Midyear Cyber Risk Report: Houston Businesses Face Evolving Ransomware Threats
For Additional Information on this topic: EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State

FREE CYBERSECURITY ASSESSMENT