search

netero1010 / EDRSilencer

A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
MIT License
1.46k stars 185 forks source link

Blocking doesn't work #13

Closed cookpoo78 closed 8 months ago

cookpoo78 commented 8 months ago

Hey, Tried the release binary and also to compile my own (BTW, it was really challenging to compile successfully, GCC could not compile and VS required few modifications to succeed), and the WFP blocking doesn't effectively block the network traffic of the binary - I tried a number of binaries. We can clearly see that the rule added successfully (e.g. by netsh wfp show state) but still the process can communicate. image

netero1010 commented 8 months ago

Ping uses ICMP traffic and it is not handled by the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer in the WFP. EDRSilencer uses FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer in the filter so ICMP traffic will not be restricted. You may try "C:\Windows\System32\curl.exe" for testing.

cookpoo78 commented 8 months ago

Still experiencing this problem... image

netero1010 commented 3 months ago

Hi,

Can you double check if filters are actually added in your WFP? You may check it using "WFPExp.exe". Also, could you double check if there is any WFP allow rules particularly for powreshell?

I tried to perform your case in my environment but the blocking works from my side. image