Asyn
1
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
FRST.exe is detected as Malware-gen
FRST64.exe is detected as Evo-gen [Susp]
Please check/fix the FPs.
HonzaZ
2
Hi,
I am not able to download the files: “Unable to connect (Firefox can’t establish a connection to the server at download.bleepingcomputer.com).”
Is there any download mirror, or does anybody know the sha256 hashes?
HonzaZ
4
Ok, I found around 15 files (hashes) that were submitted with the same filename (FRST.exe or FRST64.exe), some of which seem to be valid (ie. not truncated version). I disabled a couple of detections, let’s wait a bit till it gets to the users and then test it again 
HonzaZ
5
Yes, that was one of the hashes that I found :-). Should be ok in the next update!
Asyn
6
Hi Honza,
no problems with FRST64.exe anymore.
FRST.exe is still blocked, now as FileRepMetagen [DRP]. (VPS 150720-2)
I would be real surprised if this doesn’t get flagged. FRST / FRST64 are rebuilt daily or so to included / adjust to new found malware and the techniques used to hide malware. AV / AM have been flagging this file for some time now.
Farbar Recovery Scan Tool (both 32 bit / 64 bit) as downloaded makes no changes to the system; the program is only a scanning tool. Only when told to run a script (when directed by a trained malware removal person) does the program make any changes to the system. Otherwise, the program will sit there quietly and do nothing harmful or otherwise.
HonzaZ
8
Well, one thing to lower the possibility of being detected is to digitally sign the files - I have never seen a signed FRST file.
Asyn
9
Agreed Honza, but does that mean you can’t fix the FP, if needed…!?
HonzaZ
10
Not at all! (And I did fix the FP on it.) What I am saying is that it lowers the chance of a FP in the f(i)rst place.
HonzaZ
12
Indeed, the 32 bit version was detected again. It should be fixed now (or in a couple of minutes). Thanks for the heads-up!
Asyn
13
OK, thanks Honza. Will report back…
Asyn
14
It’s fixed now, thanks again Honza.
