Bring Your Own Installer EDR Bypass Observed in Ransomware Operation

A new "Bring Your Own Installer" technique is actively being exploited in ransomware attacks to disable endpoint defenses by bypassing tamper protection in a leading EDR solution. This method allows attackers to terminate EDR agents and deploy ransomware, leaving systems exposed and unprotected.

Unlike typical EDR bypasses that use third-party drivers or tools, this technique leverages the vendor’s own installer, Bleeping Computer reports.

Researchers discovered that during agent upgrades, the installer temporarily shuts down the EDR’s protection services before replacing system files. Threat actors exploit this moment by forcefully terminating the installer process—specifically the Windows Installer (msiexec.exe)—after protections are disabled but before the new agent is deployed.

The technique was uncovered by incident response researchers during a ransomware investigation earlier this year. Attackers had already gained administrative access to the network via a vulnerability and then executed this bypass to disable endpoint defenses. Notably, this method works across multiple versions of the agent, making even updated environments vulnerable if misconfigured.

Mitigation guidance was issued in early 2025, urging organizations to enable a security feature called “Online Authorization,” which requires approval before any local upgrade, downgrade, or uninstall can proceed. This setting is disabled by default in existing deployments but has since been turned on by default for new installations.

Another leading security vendor confirmed that their own EDR software was not affected, though the underlying technique could theoretically apply to other endpoint solutions with similar architecture.

Takeaway: EDR isn’t the problem, it's the battlefield. This latest “Bring Your Own Installer” trick is a perfect example of how attackers aren’t just slipping past defenses, they’re weaponizing the tools already available on the network.  

This isn’t some obscure lab technique or proof-of-concept. It was used in a real-world ransomware attack, against a real organization with a mature security stack.  

No shady drivers, no exotic payloads, just a clever abuse of the legitimate agent installer to quietly kill security controls before the payload dropped. It’s a game now, and the takeaway isn’t that EDR failed, it’s that ransomware crews are evolving faster, and security vendors just can’t keep up.

Attackers are investing heavily in EDR bypasses. They’re building tools to blind, unhook, or kill endpoint agents before they move to exfiltration or encryption. BYOVD attacks, kernel-level unhooking, signed payloads, and now installer abuse—it’s all on the table.

We’re well into the era of EDR-Killers—tools purpose-built to blind, disable, or rip endpoint agents right out of memory. And these crews are treating EDR evasion as a core capability, not an afterthought. It’s part of the standard playbook now.

EDR is essential for any enterprise environment, but its presence doesn’t automatically mean you’re protected. The attackers are crafting operations that can maneuver in protected environments, and this latest technique just shows how creative they can be.

Automated recovery, attack containment, and anti-ransomware solutions that assume EDR might lose a round—that’s how you survive the modern ransomware playbook. Because the question isn’t if attackers will try to knock out your defenses. It’s whether you’ve got a plan for when they do.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.