// the find
netero1010/EDRSilencer
A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
EDRSilencer uses the Windows Filtering Platform (WFP) API to drop outbound network traffic from EDR agent processes, effectively blinding them without terminating them. It's an offensive security / red team tool for simulating what attackers do after gaining admin access on a Windows host. Not for defenders.
WFP is a legitimate Windows API, so this avoids the kernel driver gymnastics most EDR-bypass tools require — lower risk of crashing the system. The custom FwpmGetAppIdFromFileName0 implementation that sidesteps CreateFileW is genuinely clever and solves a real problem with EDR self-protection hooks. Clean unblock-by-ID makes cleanup safe in post-exploitation scenarios where you don't want to nuke every filter indiscriminately. Single-file C with a straightforward mingw cross-compile path means it fits easily into a build pipeline.
Process name lists are hardcoded in EDRSilencer.c and require recompilation to update — this is already biting it since the author notes untested EDRs may slip through. Tested only on Windows 10 and Server 2016; no coverage for anything past 2019 where WFP behavior has changed. No persistence mechanism: a reboot or EDR restart brings reporting back immediately. Blocking outbound traffic rather than event generation means a sophisticated EDR with local queuing will catch up the moment the filter drops.