EDR-Freeze is a specialized evasion tool designed to disable endpoint detection and response (EDR) software and antivirus programs running on Windows systems. Unlike traditional malware that attempts to hide from security software, EDR-Freeze actively targets and suspends the processes that protect your computer, effectively blinding your defenses before deploying additional malicious payloads. Originally released as a proof-of-concept tool by its developer, EDR-Freeze has been adopted by threat actors to facilitate ransomware attacks, data theft, and persistent system compromise.

EDR-Freeze — cybersecurity illustration
Photo by Lucas Andrade on Pexels
If you suspect EDR-Freeze is running on your machine right now: Immediately disconnect from the internet (unplug Ethernet or disable Wi-Fi). Do not attempt to run additional security scans—the tool is designed to disable them. Power down and call us at (770) 595-6020. EDR-Freeze typically precedes more destructive malware, so time matters.

Threat Profile

Threat Name EDR-Freeze
Threat Type Security Software Evasion Tool / Process Suspension Utility
Platform Windows (all modern versions)
File Type Windows PE Executable (.exe)
Attack Method Exploits WerFaultSecure.exe vulnerability in user mode
Primary Targets Endpoint Detection & Response (EDR) software, antivirus processes
Typical File Size Varies (50-300 KB for core utility)
Known Distribution Ransomware pre-stage, targeted attacks, compromised software bundles
First Documented 2024 (public release as open-source tool)
Privilege Requirements User mode (no admin rights required for execution)
Common Aliases EDR-Freeze, EDRFreeze
Last Intelligence Update June 10, 2026

How It Spreads

EDR-Freeze is not typically distributed as standalone malware seeking random victims. Instead, it functions as a specialized tool in multi-stage attacks where threat actors have already gained initial access to a target system. Attackers deploy EDR-Freeze strategically to disable security monitoring before executing their primary payload—whether that's ransomware, banking trojans, or data exfiltration tools.

The tool's original release as open-source software on public repositories has made it easily accessible to both sophisticated cybercriminal groups and less-skilled opportunistic attackers. This democratization of advanced evasion techniques has significantly lowered the barrier to conducting successful attacks against protected systems.

Common distribution vectors include:

  • Post-exploitation toolkits: Deployed by attackers after gaining remote access through phishing, credential theft, or exploited vulnerabilities
  • Ransomware pre-deployment: Run minutes before encrypting files to ensure antivirus doesn't interrupt the encryption process
  • Software supply chain compromise: Bundled with legitimate-appearing installers or updates for business software
  • Remote management tool abuse: Uploaded via compromised remote desktop sessions or legitimate IT management platforms
  • Malicious PowerShell scripts: Downloaded and executed by earlier-stage malware or macro-enabled documents
  • Penetration testing gone rogue: Leaked or stolen from legitimate security assessment tools

What It Does On Your Machine

EDR-Freeze exploits a design characteristic in Windows Error Reporting (specifically the WerFaultSecure.exe process) to suspend security software processes without triggering typical defensive mechanisms. When Windows applications crash, the WerFault system is granted special permissions to access the crashed process for diagnostic purposes. EDR-Freeze abuses this trusted mechanism to gain similar access to security software processes, then issues suspend commands that freeze them in memory without terminating them—making the attack harder to detect.

Because EDR-Freeze operates entirely in user mode without requiring administrative privileges or kernel drivers, it bypasses many security controls that specifically watch for driver-based attacks (the BYOVD or "Bring Your Own Vulnerable Driver" technique). Security software remains running according to Task Manager, but the suspended processes cannot scan files, monitor behavior, or alert on threats. Essentially, your antivirus appears active but is actually paralyzed.

Once security processes are frozen, attackers have free rein to deploy secondary payloads, modify system files, exfiltrate data, or install persistent backdoors. The suspended EDR software cannot log these activities or block malicious file execution. In ransomware scenarios, this allows encryption to proceed at full speed across the entire system without interruption.

# Typical EDR-Freeze execution pattern (observed in sandbox) C:\Users\Public\Documents\edr_freeze.exe // Targets common security process names: MsMpEng.exe (Windows Defender) SentinelAgent.exe (SentinelOne EDR) CylanceSvc.exe (Cylance PROTECT) CSFalconService.exe (CrowdStrike Falcon) MBAMService.exe (Malwarebytes) // Process status after EDR-Freeze execution: Status: Running (Suspended) CPU Usage: 0% Response: None

Manual Removal — Step by Step

01

Disconnect Network Immediately

Before attempting any removal steps, physically disconnect your Ethernet cable or disable Wi-Fi. EDR-Freeze is typically a precursor to additional malware that may be downloaded remotely. Isolating the machine prevents further compromise and stops any ongoing data exfiltration.

02

Force Restart the Computer

Hold the power button for 10 seconds to force a hard shutdown, then restart. EDR-Freeze operates in memory and doesn't typically establish persistence mechanisms itself—it's a tool meant to run once, disable defenses, then allow other malware to install. The hard restart will unsuspend security processes, though it won't remove any secondary infections that may have been deployed while defenses were down.

03

Boot into Safe Mode with Networking

Restart again and press F8 (or Shift+F8 on newer systems) during boot to access Advanced Boot Options. Select "Safe Mode with Networking." This loads only essential Windows services and may prevent associated malware from loading, while still allowing you to download updated security tools if needed.

04

Check Task Manager for Suspicious Processes

Open Task Manager (Ctrl+Shift+Esc) and review the Processes and Details tabs. Look for unfamiliar executables, especially those running from temporary directories (C:\Users\[Username]\AppData\Local\Temp, C:\Windows\Temp, C:\Users\Public). Note the full file path of any suspicious items before terminating them. EDR-Freeze executables often have generic or randomized names.

05

Delete EDR-Freeze Executable Files

Navigate to any suspicious file paths you identified. Common locations include the Public Documents folder, user Temp directories, and Downloads. Delete these files permanently (Shift+Delete). Be aware that the EDR-Freeze tool itself may have already been deleted by the attackers after serving its purpose—the real concern is what was installed after your defenses were disabled.

06

Verify Security Software Functionality

Open your installed antivirus or EDR software. Check that all protection modules are active (real-time scanning, behavioral analysis, firewall). Run a manual update to ensure you have the latest definitions. If the software reports errors or won't start properly, the underlying security processes may have been corrupted—in this case, you'll need to reinstall the security software completely.

07

Perform Full System Scan with Multiple Tools

Run a complete system scan with your primary antivirus, then follow up with a second-opinion scanner like Malwarebytes or ESET Online Scanner. EDR-Freeze is typically deployed alongside other malware—ransomware, keyloggers, backdoors—that will still be present on your system. Don't assume you're clean just because EDR-Freeze itself is gone.

08

Review Recent System Changes

Check Windows Event Viewer (eventvwr.msc) for suspicious activity around the time of infection. Look at installed programs (Settings → Apps) for unfamiliar software added recently. Review browser extensions and scheduled tasks (taskschd.msc) for persistence mechanisms that may have been established while your security software was frozen.

09

Change All Passwords from a Clean Device

Because EDR-Freeze disables monitoring, keyloggers or credential stealers may have been installed without detection. From a different, known-clean computer or phone, change passwords for all critical accounts—email, banking, work credentials, cloud storage. Enable multi-factor authentication wherever available.

10

Consider Professional Assessment

EDR-Freeze is a sophisticated tool typically used in targeted attacks, not random infections. If you discover it on your system, there's a high probability that significant compromise has occurred. Professional forensic analysis can identify what data was accessed, what backdoors were installed, and whether complete OS reinstallation is warranted for business-critical systems.

Prevention

  1. Deploy enterprise-grade EDR with cloud-based monitoring: Modern EDR platforms that maintain cloud connectivity can detect and alert on process suspension attacks even if local agents are temporarily disabled. The cloud component continues logging suspicious behavior.
  2. Enable Windows Attack Surface Reduction (ASR) rules: Microsoft Defender includes ASR rules that can block abuse of WerFault and other Windows utilities for malicious purposes. Configure these through Group Policy or Microsoft Endpoint Manager on business systems.
  3. Implement application control policies: Use Windows AppLocker or third-party application whitelisting to prevent unauthorized executables from running, especially from temporary directories and user-writable locations where EDR-Freeze is typically deployed.
  4. Maintain strict access controls: EDR-Freeze doesn't require admin privileges, but the initial access methods that deliver it often exploit weak passwords, unpatched vulnerabilities, or phishing. Enforce strong authentication, regular patching, and security awareness training.
  5. Monitor for process suspension activities: Configure SIEM or logging systems to alert on unusual process state changes, particularly for security software. Suspicious patterns include security processes showing zero CPU usage while remaining "running" in Task Manager.
  6. Restrict access to debugging and error reporting utilities: For high-security environments, consider using Group Policy to limit which accounts can execute WerFault.exe and similar diagnostic tools that EDR-Freeze exploits.
  7. Keep security software updated: Leading EDR vendors have added specific detections for EDR-Freeze techniques since its public release. Ensure your security software is receiving regular updates and that self-protection features are enabled to prevent tampering.
  8. Implement network segmentation: If EDR-Freeze successfully disables security on one system, proper network segmentation can prevent attackers from using that foothold to move laterally to other machines on your network.
Our 90-Day Guarantee: When Computer Repair Roswell removes EDR-Freeze and associated threats from your system, we back our work with a 90-day reinfection warranty. If the same malware returns within 90 days and you haven't changed your security practices, we'll re-clean your machine at no additional charge. We also provide written recommendations for preventing reinfection that are specific to how your system was compromised.

Bring It In

EDR-Freeze represents a new category of threat—tools specifically engineered to blind your security defenses before the real attack begins. By the time you notice something wrong, significant damage may have already occurred: files encrypted, credentials stolen, backdoors installed. This isn't a threat you want to address with generic removal guides or automated cleanup tools. You need forensic-level analysis to determine what happened while your defenses were down and professional remediation to ensure complete removal.

Computer Repair Roswell has successfully remediated EDR-Freeze infections and the secondary payloads they enable. We'll determine your initial infection vector, identify all malicious components installed on your system, safely remove them, and implement targeted hardening to prevent reinfection through the same method. Our shop is located at 660 W Crossville Rd Suite 100, Roswell, GA 30075—bring your machine in for a comprehensive security assessment, or call us at (770) 595-6020 to discuss your situation. For business systems, we also offer on-site forensic services to preserve evidence and minimize downtime. Don't wait for the ransomware or data theft that EDR-Freeze was preparing the way for—act now.