Blocking EDRs traffic: C-Based Tools That Block EDR Network Traffic via Windows Firewall and WFP

Blocking EDRs traffic

Two tools written in C that block network traffic for blacklisted EDR processes, using either Windows Defender Firewall (WDF) or Windows Filtering Platform (WFP).

Overview

• WindowsDefenderFirewall.exe
  • Creates inbound and outbound block rules in Windows Defender Firewall for blacklisted EDR processes.
• WindowsFilteringPlatform.exe
  • Creates WFP filters that block traffic for blacklisted EDR processes. Includes a custom AppID resolution routine to obtain executable identities.
• Both tools:
  • Verify the process is running with High Integrity and SeDebugPrivilege enabled.
  • Enumerate running processes and match them against a blacklist.
  • Support a cleanup mode that removes only the rules/filters created by these PoCs.
• These tools do not disable or tamper with security products; they create network block rules/filters referencing targeted executables.

How it works (high level)

• Privilege checks: Ensures elevated integrity level and SeDebugPrivilege to enumerate processes and configure firewall/WFP.
• Process discovery: Enumerates running processes and resolves full image paths for blacklist matching.
• Blocking:
  • WDF: Adds per-app inbound/outbound block rules via the Windows Firewall COM API.
  • WFP: Adds per-app IPv4/IPv6 block filters via the WFP engine.

Supported EDRs

Currently supported EDRs and their processes include:

• Microsoft Defender Antivirus
• Microsoft Defender for Endpoint
• Elastic EDR
• BitDefender
• Cortex
• CrowdStrike
• Sentinel
• Sophos

Download & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy