Farbar FRST64.exe malware per Malwarebytes scan

Farbar is commonly downloaded.
Thread postings are commonly opened.

How do you interpret this Malwarebytes scan result?

Is Malwarebytes interpreting the Farbar download from Bleeping Computer as the malware?
Could it be a false positive?

Were thread text results clean?

Windows defender just completed and found no malware.
It was quarantined using Malwarebytes



Anybody else encountered this ?

Any method to prevent it?

Code:

Malware.Generic.973009392, C:\USERS\AAAAAAAA\DOWNLOADS\FRST64.EXE, Delete-on-Reboot, 1000000, 0, 1.0.26251, A498128EBB792B9A39FEF1F0, dds, 00788654

What do each mean?
Malware.Generic.973009392
1000000, 0, 1.0.26251, A498128EBB792B9A39FEF1F0, dds, 00788654

Code:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/1/20
Scan Time: 12:16 PM
Log File: 939dda6a-bbbe-11ea-a660-5cb901fca2de.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.955
Update Package Version: 1.0.26251
License: Free

-System Information-
OS: Windows 10 (Build 17763.1282)
CPU: x64
File System: NTFS
User: DESKTOP-9HEBUKS\aaaaaaaa

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 281538
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 4 min, 23 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Malware.Generic.973009392, C:\USERS\AAAAAAAA\DOWNLOADS\FRST64.EXE, Delete-on-Reboot, 1000000, 0, 1.0.26251, A498128EBB792B9A39FEF1F0, dds, 00788654

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

"Malware.Generic" is a catch-all term for threats that have not been individually identified in the wild. So basically it's anything that may act like malware but which perhaps isn't known or maybe doesn't even exist. It's like saying "Joe Bloggs" when you refer to someone you don't know but who is among the general population. This "Joe Bloggs" could be good or bad, rich or poor, violent or peaceful, black or white etc. Usually antivirus lump things in the same way but obviously there is no justice done to the individual profile of this person. Likewise, antivirus often unfairly discriminates against certain files, behaviour and based on certain predictions etc. In this case it's probably a false positive.

In terms of what the words and numbers mean they are probably the results of the scan. DDS as far as I'm aware is a tool used to store logs, it could also be an engine used in Malwarebytes. Malwarebytes may implement this in their scanning process. 0 will likely be the result of a conditional statement ie true or false. It can be hard to determine whether it means true or false seeing as different implementations of conditional statements can make 0 and 1 mean different things. In most cases it means false and so whatever argument was passed to the scan returned a false when executed. The "1.0.26251" is likely a version number. It could be the scanning engine, could be the executable in question, could be a version number for pretty much anything involved in the scanning process. The combination of words and numbers starting with "A4981..." is likely some sort of CRC file check. You often use CRC in order to obtain file integrity but it also poses as a signature as well as minute changes are reflected in the returned hash. These minute changes will create a specific hash which then can be matched again and again. "Delete-on-Reboot" is self explanatory. Malwarebytes probably knew it couldn't take action on the file while the system was running and so aims to delete it before it runs the next time around. "1000000" is likely a returned exit status for another argument/command that was run. Again this likely means equal to true. As for everything else it's likely unique identifiers for this particular scan.

I'm pretty confident you're not dealing with a malware threat. The fact you returned "Malware.generic" means it's a result based on heuristics. This means generally speaking behavioural modelling and predictions based on activity on your computer that may or may not be considered suspicious, and not solely on matching a particular threat that is currently known. All threats you really don't want to encounter will have their own unique 'labels' and they won't be given such a general flaky description. You'll often find pages and pages on the respective antivirus website, especially if you look at the technical detailing, on what a particular threat is about. Looking at this threat there really isn't much. Generic means basically that they don't know what it is or whether it's malware but either way it hasn't been identified (yet). That alone says you're probably looking at a false positive with a prediction based on a 'better safe than sorry' philosophy of lumping certain behaviours into this category as a fail-safe.

Can you upload the file to VirusTotal? You'll get a far more extensive result from running this file against VT. This way you're using the best of all online scanning technologies all at once instead of just relying on one particular scanner to accurately predict this threat.

supermammalego said:

Can you upload the file to VirusTotal? You'll get a far more extensive result from running this file against VT. This way you're using the best of all online scanning technologies all at once instead of just relying on one particular scanner to accurately predict this threat.

I've not yet rebooted to delete the quarantined file.
Opening Malwarebytes > restore from quarantine displayed:





How can you determine before reboot whether the file can be recovered?

False positive.

Other tools to confirm it -

Upload to VirusTotal
HitmanPro
Emsisoft Emergency Kit
Defender

I just downloaded a fresh copy of FRST from BC and scanned it with Malwarebytes 4.1.0.56 and the current packages.

Clean.

zbook said:

I've not yet rebooted to delete the quarantined file.
Opening Malwarebytes > restore from quarantine displayed:





How can you determine before reboot whether the file can be recovered?

Well it should be recoverable if it has been quarantined. Just recover the file. Judging by the screenshot though this isn't possible. Which is odd considering it's essentially telling you that you cannot restore this file until it has been deleted.

You could just download the software again. If it's on Bleeping Computer I can't see it being malware.