Varonis security researchers disclosed GhostTree, a Windows file system evasion technique that uses NTFS directory junctions to create recursive infinite loops that prevent Windows Defender from completing folder scans — allowing malware placed inside affected directories to remain hidden indefinitely. The technique requires only standard user-level permissions, no administrator access, and exploits a designed Windows feature rather than a software bug.
How NTFS Junction Loops Generate 2^126 Valid File Paths to Block Defender Scans
NTFS junctions redirect one directory to another location, analogous to symbolic links at the directory level. GhostTree creates self-referential junctions where a child folder points back to its parent, producing paths like C:ParentChildChildChild... — syntactically valid but infinite in length.
The multi-branch “GhostTree” variant amplifies this effect by creating multiple junction children from a single parent directory. At Windows’ 260-character path length limit — approximately 126 nesting levels before the maximum path length is exceeded — two branches generate 2^126 unique valid paths, approximately 8.5 × 10^37, to any file in the parent directory. When Defender attempts recursive directory enumeration to scan for malware, it follows the junctions and either runs indefinitely or exhausts its path buffer, leaving the parent directory’s actual contents unscanned.
Varonis confirmed successful Defender evasion against Windows Defender folder scans. The only permissions required to create NTFS junctions are standard user-level write permissions — no administrator account is needed, and no elevation prompt is triggered.
Microsoft’s Initial Refusal to Patch and Subsequent Reversal
Microsoft initially declined to address the GhostTree technique, characterizing a Defender bypass as “not crossing a security boundary” — a framing that treats antivirus evasion as outside the scope of security patch eligibility.
Microsoft subsequently reversed that position and issued a patch. The reversal reflects the practical security consequence of the technique: a standard user on any Windows machine can, using the built-in mklink command, create an NTFS junction structure that makes Defender unable to scan a directory they choose. The net effect is a user-accessible Defender bypass with no special tooling required beyond standard Windows functionality.
Why Signature-Based Detection of GhostTree Is Structurally Difficult
GhostTree exploits Windows file system behavior as designed. NTFS junctions are a legitimate Windows feature used in normal system configurations — they appear in Windows system directories and are created by Windows itself during certain operations. Detection heuristics that flag junction creation broadly would generate substantial false-positive noise from legitimate system activity.
The attack surface here is not a misconfiguration or a software flaw — it is the interaction between Defender’s recursive scan logic and Windows’ documented path resolution behavior. Signature-based detection of the evasion mechanism itself is structurally constrained because the mklink command and the resulting NTFS junctions are benign system tools being used in a specific configuration, not malicious code.
What Standard Users Can Conceal With a Single mklink Command
The practical implication of standard user permission requirements is significant. On any Windows machine where a user has write access to a directory — which describes virtually every user on their own workstation — they can construct a GhostTree junction structure around that directory and place arbitrary files inside it with confidence that Defender’s folder scan will not complete.
For malware operators who have already achieved code execution at standard user privilege — through a phishing attachment, a browser exploit, or a downloaded installer — GhostTree provides a persistent storage location for tools, payloads, or exfiltrated data that survives Defender scans. It also represents an evasion option for any user-level persistence mechanism that stores components on disk.
Varonis recommended that defenders monitor for anomalous NTFS junction creation, particularly junctions that create circular directory references, as an early indicator of GhostTree deployment. File system monitoring at the data layer — rather than relying exclusively on Defender scan completion as the signal of a clean directory — provides a detection path that is not subject to the same scan-exhaustion vulnerability the technique exploits.
