On May 19, 2026, Varonis Threat Labs published GhostTree, an evasion technique that neutralizes endpoint scanners using only native Windows features. Two lines of code and a single NTFS junction generate roughly 8.5×1037 directory paths, hanging the scan engine and leaving malicious payloads invisible in the root folder.
The disclosure sparked a broader debate: when an antivirus can be disabled through normal filesystem behavior, who owns the security boundary?
- GhostTree uses the Windows
mklink /Jcommand to create recursive directory junction loops, requiring no administrative privileges. - The advanced variant generates approximately 2126 distinct paths, exceeding the number of atoms in the human body by more than 28 orders of magnitude.
- Varonis tested and confirmed Windows Defender hangs: scanning the parent folder becomes impossible, and malicious files remain unexamined.
- Microsoft initially dismissed the bug report on the grounds that bypassing Defender does not cross a security boundary, then issued a patch.
How the Combinatorial Path Explosion Works
The technique relies on NTFS reparse points, filesystem mechanisms that allow creating junction points between directories. In Windows, any user with write permissions on a folder can instruct another to act as a passage to it.
The command is elementary: mklink /J C:\Parent\Child C:\Parent. The child points to the parent, the parent contains the child, and the loop is set.
Varonis developed two variants. GhostBranch, the base form, creates a single recursive junction yielding roughly 126 nesting levels before hitting the 260-character MAX_PATH limit. That alone is enough to trap recursive scanners.
GhostTree, the advanced variant, multiplies the structure: multiple child directories all point to the same parent, generating a binary tree where each node can be traversed by choosing between two branches. The math is explicit: 2126 possible nodes, approximately 8.5×1037.
For context, Varonis compares this figure to the roughly 1027 atoms in a human body and the estimated 8.5×1018 grains of sand on Earth.
The practical effect is not theoretical. When an EDR scanner encounters this structure and attempts recursive traversal, the scan engine is completely consumed by the directory loop. As Varonis' proof documents: "The scan hangs. The malicious files go unexamined."
Payloads placed in the root directory — the one created by the user or malicious process — remain outside the inspection perimeter.
The Windows Defender Test and Microsoft's Initial Rejection
Varonis validated the technique against Windows Defender, the default EDR on millions of enterprise systems. The source does not specify tests on other endpoint products, nor does it document whether third-party security vendors were found vulnerable under the same conditions.
This is a significant limitation: the research comes from a single lab, without verified independent replication by other labs or national CERTs.
Disclosure to Microsoft followed a path marked by clashing risk perspectives. The OS vendor initially closed the bug report with a sentence the researchers quoted verbatim: "bypassing Defender is not crossing a security boundary."
The position implied that NTFS junction functionality works as designed, and that the burden of managing the risk falls on those who configure system policies.
"With just two lines of code, a user can generate endless valid paths, making it impossible to finish scanning parent directories" — Varonis Threat Labs
The subsequent patch, reported by all four editorial sources but without a KB identifier or structured Microsoft advisory, reversed that initial stance. The dossier does not clarify whether the fix operates at the NTFS level, the generic scanning API, or specifically within the Defender engine.
Also missing are the exact release date and the affected Windows versions.
What to Do Now
Organizations relying on Windows Defender must verify application of the Microsoft patch for the recursive scanning vulnerability, monitoring antimalware engine updates. No specific KB identifier is available in the Varonis dossier.
Security teams should implement monitoring for recursive NTFS junction creation via data-layer monitoring tools, an approach consistent with the methodology demonstrated by Varonis. Detecting the mklink /J command with a target pointing to ancestral directories provides a specific behavioral indicator.
Evaluate restricting junction creation permissions for standard users, balancing operational needs against attack surface reduction. The primary source explicitly documents that "any user can create them. No admin privileges are required, and no special permissions beyond write access to the target folder": this lowers the barrier to entry and amplifies risk in enterprise environments with many standard-privilege users.
Security leaders must consider that the Microsoft patch has been tested and confirmed only for Windows Defender. No documentation emerges on coverage for other EDR products: third-party vendors must be queried directly about any independent fixes.
Why This Matters
GhostTree raises three structural questions the industry must confront. First: trust in EDR as a last line of defense is calculable only if the product withstands attacks that weaponize the filesystem itself.
Second: the OS vendor's definition of "security boundary" can shift under pressure, creating regulatory uncertainty for those managing compliance. Microsoft first closed the report, then patched: this oscillation leaves enterprise system managers without stable parameters for risk assessment.
Third: the absence of elevated privileges in execution drastically lowers the barrier to entry, making the technique operable in environments where users have only standard rights — the vast majority of corporate workstations.
Gray areas remain. The dossier does not document whether the technique works with extended paths beyond 260 characters, enableable via registry key. It does not confirm whether in-the-wild exploits exist or whether the threat remains confined to research proof-of-concept.
FAQ
- Is GhostTree a Windows NTFS vulnerability?
- No. It is an abuse of legitimate filesystem features, not a bug in NTFS code. Junctions are documented system tools; the novelty lies in the usage pattern that generates denial-of-service against scanners.
- Does the attack require an administrator account?
- No. According to the primary source, write permissions on the target folder suffice. The explicit quote: "any user can create them. No admin privileges are required, and no special permissions beyond write access to the target folder."
- Does the Microsoft patch protect all EDRs?
- The dossier does not establish this. Varonis explicitly tested Windows Defender; no documentation emerges on other endpoint products or on independent patches released by third-party vendors.
Information is based on the cited source and current as of publication.
Sources
- https://cybersecuritynews.com/ghosttree-attack-edr-products/
- https://cyberpress.org/ghosttree-attack-edr-tools/
- https://www.varonis.com/blog/ghosttree-ntfs-trick
- https://gbhackers.com/new-ghosttree-attack-causes-edr-tools/
- https://cybersecuritynews.com/best-edr-tools/