• Hello and welcome! Register to enjoy full access and benefits:

    • Advertise in the Marketplace section for free.
    • Get more visibility with a signature link.
    • Company/website listings.
    • Ask & answer queries.
    • Much more...

    Register here or log in if you're already a member.

  • 🎉 WHV has crossed 14,000 monthly views and 157,000 clicks per month, as per Google Analytics! Thank you for your support! 🎉

How EDR‑Freeze Tool Uses Windows WER to Suspend Antivirus Programs

johny899

New Member
Content Writer
Messages
338
Reaction score
3
Points
23
Balance
$354.2USD
Imagine antivirus software suddenly stops running. That would be frightening, right? This is precisely what a new tool called EDR Freeze can do. It performs some unexpected actions by using a component of Windows Error Reporting (WER). When I read about it, I thought, "Wow, you'll be able to do some horrible things with this tool, especially if you are a hacker!"

What the heck is EDR Freeze?​

EDR Freeze serves as a proof-of-concept tool. This signifies that it demonstrates a technique to obtain anything that you desire but is not something that attackers are currently using in a direct or public manner.

Here is the key idea:

  • It has the ability to suspend antivirus or security products without the need for special system-level access.
  • It takes advantage of a Windows component called "WerFaultSecure," which is typically used for error reporting.
  • It also uses a function called MiniDumpWriteDump, which creates snapshots of programs for debugging. This momentarily suspends all threads in the target program.

How EDR Freeze Functions (Simplified Version)​

  • Initiate WerFaultSecure, which runs with elevated system privileges.
  • Direct it to invoke MiniDumpWriteDump against the target security program.
  • The security program will be frozen while the dump is written to disk.
  • Freeze WerFaultSecure, so that the original program never resumes.
  • Therefore, the security program remains frozen.
This method was executed with success on Windows 11, even with Microsoft Defender frozen.

Why This Is A Concern​

Here’s what that means:

  • The attack is conducted entirely in user mode which means no complex kernel hacks needed.
  • It utilizes built-in Windows functionality, so it is less likely that the antivirus will detect it.
  • Most traditional attacks rely on the use of risky types of exploitation through drivers with vulnerabilities. Therefore, it's an easier method to perform.
In other words, an attacker could simply freeze your protection while remaining undetected.

What Can Be Done​

Here are some suggestions for prevention:

  • Be aware of call-outs to WER targeting any antivirus.
  • Restrict MiniDumpWriteDump to security personnel only.
  • Microsoft may need to update Windows so these utility tools can't be misused or abused.

My Thoughts​

I think it's neat, but dangerous. Researchers are demonstrating this to better prepare security teams before attackers use it for real on targets.

This is one of those "wow, that's possible?" moments. If you have an antivirus package or EDR, this provides just another way we need to stay updated and monitor unusual Windows activity.
 
You must log in or register to reply here.
Menu
Log in
Register