Those EDR software is implemented as a kernel driver.
A third party closed source Windows kernel driver that can't be audited. It gathers massive amount of activities and send back to the central server(which can be sold) as well as execute arbitrary payload from the central server.
It became single point of failure to your whole system.
If an attacker gain control of the sysadmin PC, it's over.
If an attacker gain administrator privilege on EDR-installed system, it run the same privilege with EDR so attacker can hide their activities from EDR. There aren't many EDR products in the world it can be done.
A third party closed source Windows kernel driver that can't be audited. It gathers massive amount of activities and send back to the central server(which can be sold) as well as execute arbitrary payload from the central server.
It became single point of failure to your whole system.
If an attacker gain control of the sysadmin PC, it's over.
If an attacker gain administrator privilege on EDR-installed system, it run the same privilege with EDR so attacker can hide their activities from EDR. There aren't many EDR products in the world it can be done.
I'd like to call it "full trust security model".