// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE INT-07DTG 0600Z
Endpoint Security Vendor

Symantec

7 PUBLIC SECURITY EVENTS ON FILE · 2023-06-01 — 2026-02-10

Publicly-known security events concerning Symantec — CVEs, advisories, and incidents drawn from open-source reporting. Every item links to its original source.

Category

What Symantec sells

EDR is agent-based endpoint tooling that monitors process/file/network activity, detects malicious behavior, and enables response. It is detection-led by design: it observes and acts after code executes. Its efficacy depends on recognizing a threat, so novel/zero-day techniques are a window of exposure until detected.

SOURCE · ColdRecon Reference

Symantec competes in the endpoint-security category. ColdRecon publishes only the factual public record below — no competitive analysis or positioning.

The Public Record

Recent security events

On file: 4 incidents · 2 research pocs · 1 vuln disclosure.

2026-02-10
incident
Reynolds Ransomware Embeds Vulnerable Driver to Kill EDR Before EncryptionReynolds ransomware
Broadcom researchers disclosed Reynolds ransomware in February 2026, which embeds the vulnerable NsecSoft NSecKrnl driver (CVE-2025-68947) directly into its payload to terminate endpoint security processes before encrypting files. This single-binary approach eliminates the detection gap of traditional BYOVD attacks, making it harder for defenders to spot. The ransomware targets major EDR products including CrowdStrike Falcon, Cortex XDR, and others.
2025-08-28
research poc
WDAC Policies Used to Disable EDR Agents in the WildWDAC-EDR-Block
Research details how Windows Defender Application Control (WDAC) policies are being used by threat actors to block endpoint detection and response (EDR) agents. Multiple malware families, including Krueger and a new variant named DreamDemon, have been observed deploying WDAC policies that prevent EDR components from loading. The technique remains effective against many EDR products, with limited preventive capabilities from vendors.
2025-08-07
incident
HeartCrypt Packer-as-a-Service Used by Multiple Ransomware Groups to Disable Endpoint SecurityHeartCrypt
Sophos X-Ops uncovered HeartCrypt, a packer-as-a-service derived from EDRKillShifter, being used by at least eight ransomware groups to disable EDR and AV products before deploying ransomware. The tool injects malicious code into signed executables and uses BYOVD to load a kernel driver that terminates security processes. This represents a significant escalation in ransomware tactics through cybercrime-as-a-service.
2025-04-30
vuln disclosure
CVE-2025-3599: Symantec Endpoint Protection Windows Agent ERASER Engine Elevation of PrivilegeCVE-2025-3599
A vulnerability in Symantec Endpoint Protection Windows Agent's ERASER Engine prior to version 119.1.7.8 allows an attacker to delete protected resources. This is an elevation of privilege issue that could undermine endpoint protection integrity.
2024-07-17
incident
Fin7's AvNeutralizer Tool Enables EDR Tampering for Ransomware GangsAvNeutralizer
SentinelOne reports that the Fin7 threat group has developed and sold a custom tool called AvNeutralizer (aka AuKill) that tampers with endpoint detection and response (EDR) solutions. The tool has been used by multiple ransomware gangs, including AvosLocker, MedusaLocker, BlackCat, and LockBit, since early 2023. AvNeutralizer leverages a previously unseen technique using the Windows TTD monitor driver ProcLaunchMon.sys and a hardened process explorer driver to cause a denial-of-service condition on affected security products.
2024-07-16
incident
Killer Ultra Malware Disables EDR/AV in Ransomware AttacksKiller Ultra
Killer Ultra malware, used in Qilin ransomware attacks, terminates endpoint security tools by exploiting a vulnerable Zemana AntiLogger driver (CVE-2024-1853). It also clears Windows Event Logs and contains inactive post-exploitation capabilities. The malware targets Symantec, Microsoft Defender, and SentinelOne.
2023-06-01
research poc
New malware tool claims to terminate multiple EDR and antivirus agentsEDR-Terminator
A video and Reddit post surfaced on May 28, 2023, showing an executable that allegedly disables tamper protection and terminates the on-premise agents of numerous endpoint security products. The tool claims to work against vendors including CrowdStrike, SentinelOne, Carbon Black, and Windows Defender. ThreatLocker notes that its application allowlisting would block such an unknown executable from running.
Every event on this page is a record in ColdRecon's canonical set, drawn from public reporting and linked to its source above. ColdRecon monitors open-source signal only; it publishes no non-public or customer information.

Symantec ships. Your prospect reads the headline. Do you?

ColdRecon turns this signal into one short daily brief, written from the seller's seat — what changed, why it matters to your deals, how to position. Request clearance and the first lands tomorrow at 0600.

Request Clearance →