Looking at the VirusTotal results in the Twitter thread, all but one of the rootkits were actually detected by Microsoft's own anti-virus engine. I think Microsoft should consider running the submissions for driver signing through their anti-virus scanner (or even better, VirusTotal). Won't catch everything, of course, but it's pretty low hanging fruit.
I’m pretty sure that these were added to the defender list after they were signed and seen in the wild…
Same goes for VT they only classify something as malware after there is sufficient evidence that it is malware.
For the most part the only difference between malware and non malware is the intent of the operator, pretty much any functionality can be abused for malicious purposes.
This especially holds true for most security/system management suites they have pretty much the same capabilities as any decent RAT malware the only difference is the reason behind why they are deployed.
