Defeating EDR Evading Malware with Memory Forensics
Case, Sellers, Richard
DEF CON 32 Main Stage · Day 1 · Main Stage
In this DEF CON 32 presentation, Andrew Case, a core developer on the Volatility memory analysis project and Director of Research at Volexity, delves into the critical issue of sophisticated malware bypassing Endpoint Detection and Response (EDR) solutions. The talk addresses a prevalent and concerning disconnect observed in real-world incident response scenarios: EDRs are often deployed, configured, and reported as active on compromised machines, yet potent malware frequently operates undetected within the very processes these EDRs are supposed to monitor. This presentation outlines Volexity's research into understanding *why* this evasion occurs and, more importantly, how advanced memory forensics techniques, particularly leveraging the Volatility framework, can automatically detect such stealthy threats.
AI review
This talk by Andrew Case is a critical, no-nonsense deep dive into why modern EDRs fail against sophisticated malware and how memory forensics, specifically leveraging Volatility, is the only reliable way to catch these stealthy threats. It provides actionable intelligence on detecting evasion techniques, from kernel callback disabling to advanced non-code-overwriting system call bypasses, making a compelling case for a fundamental shift in defensive strategy. Essential viewing for anyone serious about incident response and threat hunting.