[FP] FRST/FRST64 [Fixed]

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

FRST.exe is detected as Malware-gen
FRST64.exe is detected as Evo-gen [Susp]

Please check/fix the FPs.

Hi,
I am not able to download the files: “Unable to connect (Firefox can’t establish a connection to the server at download.bleepingcomputer.com).”
Is there any download mirror, or does anybody know the sha256 hashes?

have you tried here http://www.majorgeeks.com/files/details/farbar_recovery_scan_tool.html

https://www.virustotal.com/nb/file/34ea3c1c403b2707294108638a1a7228dc88069eeb4179a33addd095fd56ba5f/analysis/1437399244/

Ok, I found around 15 files (hashes) that were submitted with the same filename (FRST.exe or FRST64.exe), some of which seem to be valid (ie. not truncated version). I disabled a couple of detections, let’s wait a bit till it gets to the users and then test it again :slight_smile:

Yes, that was one of the hashes that I found :-). Should be ok in the next update!

Hi Honza,

no problems with FRST64.exe anymore.

FRST.exe is still blocked, now as FileRepMetagen [DRP]. (VPS 150720-2)

I would be real surprised if this doesn’t get flagged. FRST / FRST64 are rebuilt daily or so to included / adjust to new found malware and the techniques used to hide malware. AV / AM have been flagging this file for some time now.

Farbar Recovery Scan Tool (both 32 bit / 64 bit) as downloaded makes no changes to the system; the program is only a scanning tool. Only when told to run a script (when directed by a trained malware removal person) does the program make any changes to the system. Otherwise, the program will sit there quietly and do nothing harmful or otherwise.

Well, one thing to lower the possibility of being detected is to digitally sign the files - I have never seen a signed FRST file.

Agreed Honza, but does that mean you can’t fix the FP, if needed…!?

Not at all! (And I did fix the FP on it.) What I am saying is that it lowers the chance of a FP in the f(i)rst place.

  1. Unfortunately, FRST.exe still gets blocked, now with Win32:Dropper-gen [Drp]. (VPS 150721-0)
  2. Yes, I know that and also tell others, if need be.

Indeed, the 32 bit version was detected again. It should be fixed now (or in a couple of minutes). Thanks for the heads-up!

OK, thanks Honza. Will report back…

It’s fixed now, thanks again Honza. :slight_smile: