A rootkit named Netfilter.


Recently the following article was shared on the news websites:

Microsoft signed a malicious Netfilter rootkit

What started as a false positive alert for a Microsoft signed file turns out to be a WFP application layer enforcement callout driver that redirects traffic to a Chinese IP. How did this happen? Last week our alert system notified us of a possible false positive because we detected a driver[1] named "Netfilter" that was signed by Microsoft. Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system. Drivers without a Microsoft certificate cannot be installed by default.

There is nothing common between this malware and NFSDK drivers, except the name. There are no false positives related to NFSDK drivers in antivirus engines.