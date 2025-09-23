Threat Intelligence, EDR
Security software circumvented by novel EDR-Freeze tool
Multiple security applications, such as antivirus and endpoint detection and response solutions, could be evaded by the new proof-of-concept tool EDR-Freeze, which was created by security researcher TwoSevenOneThree, also known as Zero Salarium, to exploit the Windows Error Reporting system, according to BleepingComputer. Unlike the common Bring Your Own Vulnerable Driver techniques, which exploit kernel-level flaws, this method does not rely on external drivers and instead builds on two Windows components. First is WerFaultSecure, a protected WER process intended for crash-dump collection of sensitive applications. Second is MiniDumpWriteDump, a function in the DbgHelp library that pauses a process, captures its memory snapshot, and then resumes it. EDR-Freeze exploits the interaction between these components. By directing WerFaultSecure to dump a chosen process, MiniDumpWriteDump automatically suspends all of that processs threads. At the critical moment, WerFaultSecure itself is paused, meaning the targeted process never resumes and remains stuck in a suspended state. When tested on Windows 11 24H2, the tool succeeded in freezing Windows Defender. Mitigation may be possible by detecting when WER processes attempt to handle identifiers of critical software. Microsoft could also potentially reduce the risk by restricting how WerFaultSecure is invoked, such as tightening parameter use.
