Endpoint detection and response (EDR), a mainstay security tool for small and large organizations, has lately had to fend off threat actors’ attempts to “kill,” “freeze,” or otherwise disable it.
And to make the challenge even more intense, these attackers are sharing their EDR R&D with each other.
“Even though these groups are competitors and have different business and affiliate models, there appears to be information/tool leakage between them,” researchers from cybersecurity company Sophos wrote in the conclusion of its August 6 report.
What’s EDR? Combining threat data and behavioral analysis, EDR tools offer a primary alert system for signs of malware and malicious activity.
A 2025 cybersecurity report, sponsored by consultancy Optiv and conducted by Ponemon Institute, found that 47% of surveyed 620 IT and cybersecurity practitioners currently use EDR to help secure their organizations’ infrastructure, slightly down from 2024.
What are EDR disablers? EDR disablers install malicious code, elevate privileges via a sneaky, seemingly certified driver (the software designed to help an operating system handle requests from devices, apps, and hardware), and use that access to turn off detection mechanisms. (Cybersecurity company ESET, in March 2025, noted this trend in disabler use amongst ransomware actors.)
- Sophos, in its summer study, revealed an “AVKiller” deployed by multiple ransomware groups. In one reported case, which monitored threat activity from Sophos customers, malicious code hid in legitimate utilities; the code then searched for a driver “signed with a compromised certificate.” The attacker, now in the driver seat and with privileged access to the kernel, aimed to target Sophos products and enumerate and disable AV components.
Gabor Szappanos, threat research director at Sophos, told IT Brew that Sophos currently has endpoint defenses against the tactic, including “pre-execution” protection that looks for known malicious components of the “kill,” as well as capabilities that monitor for the suspicious scanners.
- Security researcher Zero Salarium, in a Sept. 20 post, revealed an EDR-freeze tactic that deploys a memory-snapshot function that puts detection features on hold. (A Microsoft spokesperson told BleepingComputer on Sept. 26 that “customers using Microsoft Defender are not impacted by this tool, and any attempt will be detected and blocked before execution.”)
How to fight the freeze. While this news might freeze cybersecurity professionals in their tracks, Amit Patel, SVP at Consulting Solutions, reminds CISOs to take specific actions:
- Enable tamper-proof settings in Windows Defender and other EDR tools.
- Use network-monitoring tools, like security information and event monitoring (SIEM), as a backup control for any potentially downed EDR.
- Treat any lack of reporting from a seemingly up-and-running EDR tool like the “fire alarm” that it is. Szappanos agrees; don’t ignore the warnings. “During the stages of an attack, several low-confidence warnings start to pop up from a security product,” he said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Douglas McKee, instructor at SANS Institute and executive director of threat research at SonicWall, compares the EDR tactic to cutting the wires to a security camera before breaking in.
In an email to IT Brew, McKee shared the importance of a twofold response: Vendors must protect kernel interfaces, block vulnerable drivers, and deploy integrity checks, while at the same time, customers must run agents with least privilege, enforce tamper protection, and watch for signs that their EDRs have gone quiet.
“EDRs are typically very noisy. If your EDR goes quiet, assume it’s under attack,” wrote to IT Brew, additionally recommending tools that provide visibility into access management and on-network activity. (“When the lights go out on the endpoint, your network, identity, and logs should still see the intruder,” he wrote.)
Patel still sees EDR as a “step-one” necessary mechanism. But like most decisions in life, it’s critical to have other options ready.
“Don’t rely just on an EDR tool,” he said.