Threat Signal Report

EDR-Freeze Bypass Technique

What is the EDR‑Freeze?	EDR‑Freeze is a proof‑of‑concept technique that leverages legitimate Windows Error Reporting (WER) components to suspend (place into a ‘frozen’ state) endpoint protection processes from user mode. Instead of exploiting drivers or kernel vulnerabilities, EDR‑Freeze abuses trusted OS services and relies on race conditions and process interaction to temporarily pause security products. This Threat Signal highlights the risk that OS-provided mechanisms can be repurposed against defenders and recommends mitigations and detection guidance for defenders to reduce the technique’s effectiveness. Impact: - Opportunity for short-lived actions: adversaries could use the frozen interval to perform small actions (file tampering, process injection, lateral movement steps) that complete within the freeze window. - Limited persistence: because this approach is time‑bound and unreliable, it is primarily useful for opportunistic or nuisance disruption rather than reliable long‑term evasion. - Temporary loss of protection telemetry: while a process is frozen, the agent may not report telemetry, receive policy updates, or block malicious activity. Risk increases when: - Endpoint agents lack anti‑tampering or watchdog mechanisms. - Agents run with insufficient process isolation or rely on a single process for core defenses. - Systems are highly automated and assume uninterrupted agent telemetry for gating actions.
What is the recommended Mitigation?	Any Windows endpoint protection product that runs user‑mode agent processes and interacts with Windows Error Reporting (WER) or crash handling subsystems could be a candidate for this technique in theory. No specific vendor or product has been named in the PoC; organizations should treat this as a technique class rather than a single‑product vulnerability. Harden watchdogs, monitor for unusual dump activity, audit suspension events, stay patched, and test PoCs responsibly in isolated environments. Ensure endpoint products are running the latest vendor releases and have anti‑tampering, protection, and watchdog features enabled. Restrict which accounts and processes can interact with WER and crash‑handling flows where feasible (via local policy and application control).
What FortiGuard Coverage is available?	Internal validation and testing confirmed that FortiEndpoint’s advanced anti-tampering controls successfully blocked all attempted process suspension attempts associated with the EDR-Freeze technique. During controlled simulations, no disruption to protection telemetry, policy enforcement, or real-time detection was observed. FortiEndpoint’s self-protection modules immediately detected the unauthorized suspension attempt, triggered internal remediation routines, and restored any affected components- maintaining full operational protection throughout the test. FortiEndpoint’s unified agent architecture, combined with multi-layered defense mechanisms (including watchdog services, integrity verification, and process isolation), is specifically designed to resist user-mode and race-condition-based evasion techniques. These capabilities ensure that even if attackers attempt to exploit trusted Windows components, the endpoint remains resilient and continues to enforce security policy without interruption. As part of the Fortinet Security Fabric, FortiEndpoint continuously shares telemetry and threat intelligence with other Fortinet solutions. This integration provides end-to-end visibility across endpoints, networks, and the cloud- enabling coordinated detection, automated response, and adaptive protection against emerging techniques like EDR-Freeze.

Additional Resources

EDR Freeze Investigation
Endpoint Security Solutions for Enterprise | Fortinet