When security tools go quiet – the risk of EDR freeze

If your best EDR tools can be outsmarted, who can you trust, asks Katie Barnett?

Imagine locking your front door, setting the alarm, and heading out – only to find out later that someone had slipped in, shut the door behind them, and moved around without triggering a thing. That’s what EDR-Freeze does.

EDR-Freeze is a proof-of-concept attack that doesn’t actually turn off antivirus or endpoint detection (EDR) tools. On Windows 11 systems, including Defender, these tools appear to be running, but they are functionally blind. The attack takes advantage of legitimate Windows features such as Windows Error Reporting (“WerFaultSecure”) and the MiniDumpWriteDump API, exploiting a timing flaw that freezes both the EDR process and the reporting process. As no admin rights are needed, it’s tricky to spot in the system.

“Even a short delay in detection can turn a manageable breach into a catastrophic crisis”

Security teams rely on EDR to flag suspicious activity before it escalates. But EDR-Freeze exposes a hard truth that even the best tools can be outsmarted. Rather than shutting down tools, it suspends them. This means that everything appears normal, while attackers have a window of time in which to move around undetected, escalating privileges or exfiltrating data.

However, EDR-Freeze isn’t the only risk of this sort. ReliaQuest recently highlighted IP_KVM, a technique that bypasses endpoint monitoring entirely. Attackers are increasingly leaning on legitimate system behaviour rather than brute-force attacks. They are not breaking systems, but using them exactly as designed. That makes “traditional” detection-heavy security less effective than many executives might like to believe.

Why boards should pay attention

This is important, because the fallout is not only technical. If monitoring fails in silence, all the money poured into cyber defences can amount to nothing as these attacks surge in the background. And by the time they’re spotted, the damage is greater, regulators are circling, and customers are asking hard questions as security failures become governance failures.

We’ve seen this play out before. Ransomware teams routinely disable monitoring before they deploy their payloads. But EDR-Freeze makes this process more covert. Even a short delay in detection, sometimes less than an hour, can turn a manageable breach into a catastrophic crisis.

What can be done today

While vendors will eventually roll out patches, attackers thrive in the space between research and remediation. In the meantime, there are practical steps for security teams to take. Look for strange command-line use of WerFaultSecure.exe. Watch for processes that freeze unexpectedly. And use SIEMs or custom rules to flag anomalies.

AI can help by surfacing unusual patterns, but it’s not a silver bullet. Machines can flag, but humans still need to interpret and act. The strongest defence combines machine-powered speed with human expertise.

Questions to put on the table

In the meantime, boards and senior leaders should be pressing their teams with questions like: ”If our monitoring went dark, how would we know?” and “are we running ‘assume compromise’ scenarios, or just trusting the green lights?”

They also need to know whether teams can spot anomalies even when tools stay quiet. And where AI blind spots might cause problems. There should be a balance between investing in prevention-first tools and rapid detection, recovery and response.

Resilience over tools

EDR-Freeze proves that even the best tools can be neutralised. Real resilience extends beyond having the latest software. It means noticing when things go wrong and having people and processes ready to respond.

Effective security requires more than locking doors; it is about watching who goes through them. For boards and executives, the lesson is to focus on what your monitoring might miss, rather than on what it can see. Silent attacks like EDR-Freeze are often the ones that do the most damage.