The author describes an EDR evasion technique based on disrupting the agent's communication with its backend. Since modern EDR solutions rely on continuous telemetry streaming to the cloud, losing connectivity significantly reduces their effectiveness. Instead of traditional methods, the approach focuses on limiting the agent's network bandwidth to a minimal level.

The technique is implemented using Policy-based QoS in Windows: strict bandwidth limits (e.g., 1 Kbit/s) are applied to EDR processes, causing constant timeouts and loss of communication with the server. This operates below WFP (via the `pacer.sys` driver) and does not generate typical traffic-blocking events, making detection more difficult.

📎 Article: https://www.zerosalarium.com/2026/06/edrchoker-choking-telemetry-stream-block-edr.html

⚙️ Tool: https://github.com/TwoSevenOneT/EDRChoker

EDR Bypass via Telemetry Throttling (EDRChoker)