Block All EDR Processes via WFP and Report Status

Description

Blocks all running EDR processes with WFP, then lists the current state of all active block rules in a single operation.

Overview

This composite script installs WFP outbound-block rules for all running EDR processes and then immediately enumerates the resulting active filter set so you can confirm which rules were created.

The script outputs a summary object showing how many processes were successfully blocked versus how many failed (e.g. due to path resolution errors), followed by the full list of active WFP block rules.

Pre-Requisites

  • High integrity (Administrator) process

Dependencies

  • Firewall

Parameters

None.

Example Output

Blocked : 2
Failed  : 0

FilterId  NtPath                                                                  Layer
--------  ------                                                                  -----
65537     \device\harddiskvolume3\program files\windows defender\msmpeng.exe      IPv4
65538     \device\harddiskvolume3\program files\windows defender\msmpeng.exe      IPv6
65539     \device\harddiskvolume3\program files\windows defender\mssense.exe      IPv4
65540     \device\harddiskvolume3\program files\windows defender\mssense.exe      IPv6
Scroll to Top