Overview

This script calls Add-WfpBlock, which enumerates all running processes on the current system and compares them against a built-in list of known EDR process names. For every match it finds, it adds two persistent Windows Filtering Platform (WFP) outbound-block rules — one for IPv4 and one for IPv6 — using the process’s application identifier.

The rules are persistent, meaning they survive reboots until explicitly removed. Use Remove-WfpBlock to clean up.

Pre-Requisites

• High integrity (Administrator) process

Dependencies

• Firewall

Parameters

None.

Supported EDR Products

The built-in list covers: Microsoft Defender for Endpoint, Elastic EDR, Trellix, Qualys, SentinelOne, Cylance, Cybereason, Carbon Black EDR, Carbon Black Cloud, Tanium, Palo Alto Cortex XDR, FortiEDR, Cisco Secure Endpoint, ESET Inspect, Harfanglab, and Trend Micro Apex One.

Example Output

FilePath                                          FilterIdV4       FilterIdV6       ErrorCodeV4  ErrorCodeV6
--------                                          ----------       ----------       -----------  -----------
C:\Program Files\Windows Defender\MsMpEng.exe    65537            65538            0            0
C:\Program Files\Windows Defender\MsSense.exe    65539            65540            0            0