Black & White Path

May 24, 2026 · Information Security

GhostTree: How Windows Path Manipulation Can Render EDR Scanning Ineffective

Researchers demonstrate that by exploiting NTFS junctions and symbolic links to create recursive directory structures—dubbed GhostTree—a normal user can generate billions of paths that cause EDR folder scans to enter infinite loops, effectively hiding malicious files from detection.