A new technique, presented as a proof of concept under the name EDR-Freeze, reveals how it's possible to evade security solutions directly from user mode on Windows systems by leveraging the Windows Error Reporting (WER) component.
What’s most surprising about this approach is that it doesn’t require vulnerable drivers or elevated privileges. Instead, it relies on legitimate operating system mechanisms to literally pause security solutions such as EDR (Endpoint Detection and Response) agents and antivirus software, leaving them in a hibernation-like state.
By using the WER framework together with the Windows API function MiniDumpWriteDump, this technique manages to indefinitely suspend the activity of protection processes, thus creating a dangerous window for executing malicious actions without detection.
Until now, many techniques used to disable EDR solutions have relied on the “Bring Your Own Vulnerable Driver” (BYOVD) approach. Essentially, this means the attacker introduces a legitimate but vulnerable driver into the system and exploits it to escalate privileges and gain control at the kernel level.
But this method has several drawbacks: it requires moving the driver to the target machine, bypassing the OS's execution protections, and—on top of that—erasing any trace that might reveal the intrusion into the kernel. It's far from a stealthy operation.
That’s where EDR-Freeze comes in, offering a much more discreet and elegant approach. Instead of relying on a kernel driver, this technique operates entirely from user mode using legitimate Windows components that are already present on the system by default. In other words, there's no need to introduce anything foreign, making it much harder to detect with traditional security solutions.
The technique behind EDR-Freeze exploits a legitimate operating system function called WerFaultSecure, part of Windows Error Reporting. This component runs with special privileges known as Process Protection Light (PPL) and is responsible for collecting memory dumps of sensitive processes to aid in debugging and diagnostics.
This is where another key element comes into play: MiniDumpWriteDump, an API from the Windows DbgHelp library. This function allows for capturing a "snapshot" of the memory and current state of any process, technically known as a minidump. To do this, MiniDumpWriteDump suspends all threads of the target process while collecting data, and then, in theory, should automatically resume them once finished.
But EDR-Freeze changes the game.
What this technique does is use WerFaultSecure to trigger MiniDumpWriteDump against a security process, such as an EDR or antivirus. While that memory dump is being created, the attacker manually suspends WerFaultSecure itself, preventing it from completing the process and, consequently, from resuming the security software’s threads.
The result? The EDR or antivirus ends up in a state of "indefinite pause," as if frozen or in a coma—no alerts, no activity, and completely incapacitated without being terminated. This allows the attacker to operate freely on the system without interference.
Configuration of Parameters (left) and Suspension of Windows Defender (right)
The technical process behind EDR-Freeze is based on a race condition—a type of logic flaw that occurs when two processes access the same resources simultaneously without proper synchronization.
Here’s a simplified breakdown of the steps:
Launch WerFaultSecure as a Protected Process (PPL): The legitimate component is started with permission to access sensitive processes.
Instruct it to create a memory dump of the security process (e.g., an EDR or antivirus): This is done by passing arguments pointing to the target process ID.
Wait until the target process is fully suspended by MiniDumpWriteDump: At this point, all threads of the target process are “frozen.”
At that exact moment, suspend WerFaultSecure itself, the component responsible for completing the operation. This prevents it from resuming the original process, leaving it suspended indefinitely.
This attack can be carried out in just a few seconds and without the need for kernel-level privileges, making it highly stealthy and difficult to detect.
Read more: Top Zero-Day Vulnerabilities Exploited in 2025
The technique has been successfully tested on Windows 11 version 24H2, where it managed to completely freeze the Windows Defender process—one of the most widely used native security solutions.
Additionally, a tool has been released that automates this step-by-step process, increasing the risk of rapid adoption by malicious actors.
Unlike other methods that require exploiting vulnerabilities or introducing malicious drivers (such as the BYOVD method), EDR-Freeze operates solely using legitimate tools that are already present in the operating system. There’s no obvious malware, no suspicious files that might raise red flags. Everything appears, at first glance, to be normal system activity.
This gives the attacker a significant advantage:
No need to escalate privileges to the kernel level.
Avoids detection by traditional antivirus signature-based systems.
Leaves no obvious traces on the system.
Leverages signed and protected Windows tools.
Read more: EDR vs Antivirus: How do they differ?
This type of attack doesn’t exploit a vulnerability in the traditional sense, but rather takes advantage of a design weakness in how two legitimate Windows functions—MiniDumpWriteDump and WerFaultSecure—interact. Essentially, the attacker is simply chaining together functions as they were designed to be used, but for a very different purpose.
The good news is that there are ways to defend against it. One of the most effective is monitoring the behavior of Windows Error Reporting (WER), especially if it attempts to interact with sensitive processes like LSASS, Microsoft Defender, or other security tools. If WER starts generating memory dumps of these processes, that should immediately raise an alert.
So far, Microsoft has not implemented direct measures to block this kind of abuse, although there are several ways the system could be hardened. For example:
Restricting which processes can trigger WerFaultSecure.
Blocking suspicious attempts to create dumps of protected processes.
Limiting the use of dangerous parameters or restricting access to certain process IDs (PIDs).
As this technique becomes more widely known, we can expect to see updates or patches that strengthen these OS components. In the meantime, the key lies in active monitoring and a strong behavior-based security strategy—beyond traditional malware signatures.
This is where the critical role of a modern, well-managed SOC with AI capabilities comes into play, such as TecnetOne’s Security Operations Center. This kind of specialized infrastructure enables real-time monitoring of unusual activities, such as the misuse of WerFaultSecure or attempts to suspend security processes.
Thanks to its behavior-based detection, threat intelligence, and automated response capabilities, TecnetOne’s SOC is well-equipped to identify and contain advanced techniques like EDR-Freeze before they pose a real threat.
Having a SOC not only strengthens an organization’s security posture, but also ensures a rapid and effective response to threats that traditional antivirus solutions may miss—minimizing impact and improving resilience against sophisticated attacks.