Conceptual diagram of the EDR-Freeze tool exploiting Windows functions to suspend EDR and antivirus processes in a 'coma' state for undetected evasion.

A new proof-of-concept tool, EDR-Freeze, developed by Zero Salarium, can suspend Endpoint Detection and Response (EDR) and antivirus software into a "coma" state, disabling their monitoring. This technique uses built-in Windows functions for a stealthier evasion method, avoiding the risks associated with common attack strategies and leaving minimal traces.

Conceptual diagram of the EDR-Freeze tool exploiting Windows functions to suspend EDR and antivirus processes in a 'coma' state for undetected evasion.Conceptual diagram of the EDR-Freeze tool exploiting Windows functions to suspend EDR and antivirus processes in a 'coma' state for undetected evasion.

In contrast to Bring Your Own Vulnerable Driver (BYOVD) tactics, which load unstable third-party drivers to disable security tools, EDR-Freeze runs entirely from user-mode using legitimate OS components. This approach prevents system instability and reduces detection risks, making it a more reliable option for threat actors seeking to bypass defenses.

Conceptual diagram of the EDR-Freeze tool exploiting Windows functions to suspend EDR and antivirus processes in a 'coma' state for undetected evasion.Conceptual diagram of the EDR-Freeze tool exploiting Windows functions to suspend EDR and antivirus processes in a 'coma' state for undetected evasion.

The tool exploits the MiniDumpWriteDump function in Windows' DbgHelp library, which creates process memory snapshots by briefly suspending threads for debugging. EDR-Freeze extends this suspension indefinitely, freezing security processes without triggering alerts and providing attackers an undetected operational window.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Admin Console Corporate Edition EndPoint Security