Filter-Mute Operation: Investigating EDR Internal Communication

This report documents the “filter-mute” technique that disables communication between EDR kernel drivers and their user-mode agents by zeroing the FLT_SERVER_PORT_OBJECT MaxConnections value via a kernel R/W primitive (BYOVD). It includes Windbg-guided kernel-walking to locate the field, a PoC tool (EDRSnowblast) to automate the change, demonstration steps (kill the user-mode service, copy malicious payload), observed success against Windows Defender and two other vendors, prerequisites for the attack (kernel R/W or loadable vulnerable driver and ability to kill the EDR process), and recommended mitigations such as VBS/HVCI, driver block rules, and driver hardening techniques.