Release files and their hashes
Release artifacts are rebuilt for every release, so this page deliberately does not hard-code a hash that would silently go stale. The authoritative SHA-256 for every asset is published with each release:
- Automatic (main) releases include a
SHA256SUMS.txtmanifest. - Tagged releases include a
<asset>.sha256.txtfile next to each download. - On Windows the recommended download is the standalone folder build (no self-extracting wrapper) — it comes up clean on antivirus where the single file does not. A single-file build is also published, and Linux offers a folder build too.
Compare the file you downloaded against the value published on that release's page — see Verification below.
What the program does
PS2 Servers provides user-controlled local server modes for PS2 homebrew use:
- SMBv1/RiptOPL: local SMB/CIFS-compatible server, normally TCP 1111 (ports below 1033 discouraged).
- UDPFS: local UDP file/block serving, normally UDP 0xF5F6.
- UDPBD: local UDP block-device serving, normally UDP 0xBDBD.
- Firewall helper: optional Windows Firewall allow rules after user action.
PS2 Servers -. The app can also remove its own firewall rules.
What the program does not do
PS2 Servers does not contain or intentionally perform any of the following behavior:
- credential theft
- browser modification
- adware installation
- persistence installation
- crypto-mining
- ransomware behavior
- unauthorized remote-control behavior
- silent firewall modification on launch
- silent administrator elevation on launch
- Windows SMB1 optional-feature installation
- Windows SMB1 automatic-removal disabling
Why some antivirus engines may detect it
The current Windows executable has several characteristics that can cause heuristic or machine-learning detections even when the software is legitimate:
- It is unsigned.
- It is distributed as a small independent project.
- It starts local network services by design, including UDP broadcast for PS2 auto-discovery.
- It may request firewall-rule changes after user consent, via a short hidden PowerShell command (without
-ExecutionPolicy Bypass). - It includes bundled runtime/application content.
- The single-file build self-extracts to a temporary folder on launch and re-executes itself to run a server with the embedded interpreter — a generic packer/dropper heuristic. The folder download avoids this self-extraction step.
- It is not yet a widely reputation-established Windows binary.
PS2Servers-windows-x64-folder.zip): the same app with no self-extracting wrapper, which comes up clean on antivirus. (PS2Servers-linux-x64-folder.tar.gz is the Linux equivalent.) The single-file build is the one flagged by heuristics.
These factors can trigger generic labels such as Trojan.Generic, Malware.AI, Suspicious, Evo-gen, Susgen, Riskware, or similar names. Those names are not necessarily specific claims that the file belongs to a known malware family. In many cases, they indicate a generic, heuristic, AI/ML, reputation, or suspicious-behavior classification.
Response to current detection types
Exact vendor names and labels may change as antivirus databases update. The table below explains the project’s response to the detection classes currently relevant to PS2 Servers.
| Detection type | Public response |
|---|---|
| Generic Trojan / Trojan.Generic / Trojan.Win32.Generic | This is a broad classification and does not identify a specific malicious behavior in PS2 Servers. The app’s server behavior is intentional and limited to user-selected local PS2 homebrew file serving. |
| AI / ML / MachineLearning / Malware.AI | This indicates an automated model-based classification. The likely triggers are unsigned distribution, bundled executable packaging, and local server/firewall behavior. The source code and expected behavior are public for review. |
| Evo-gen / Gen / Gen:Variant / Heur | This appears to be a generic evolutionary or heuristic classification rather than a specific malware-family identification. The file has been or will be submitted to the detecting vendor as a false positive. |
| Susgen / Suspicious / malicious-confidence label | This appears to be a suspicion-based classification. PS2 Servers does perform local network-server activity, but that activity is the documented purpose of the program. It is not hidden, persistent, or unrelated to the user-facing function. |
| Riskware / HackTool / PUA / PUP | PS2 Servers is not adware or bundled unwanted software. It is a user-launched local utility. Any elevated action is limited to firewall management or advanced port behavior and is disclosed to the user. |
| Network-related warning | Network activity is expected. The program exists to serve PS2 game and homebrew files from a PC to a PlayStation 2 over the local network. This is local server behavior, not unauthorized remote access. |
| URL / website reputation warning | The project is distributed from its public GitHub repository and release pages. Any URL reputation issue should be reviewed as a false positive against the repository or release URL. |
Verification options for users
Users who want the lowest-trust path do not need to rely only on the packaged executable.
- Inspect the public source code.
- Compare the downloaded file hash against the published SHA-256.
- Verify GitHub build provenance where artifact attestations are available.
- Run from source instead of using the packaged Windows executable.
- Wait for antivirus vendor false-positive reviews to complete.
PowerShell hash verification
Get-FileHash .\PS2Servers-windows-x64.zip -Algorithm SHA256
Where to find the expected hash
Do not trust a hash printed on this page. Compare your download against the
checksum published on the release you downloaded:
SHA256SUMS.txt (automatic/main releases) or the per-asset
<asset>.sha256.txt file (tagged releases). On a main
release you can also verify build provenance with the GitHub CLI:
gh attestation verify PS2Servers-windows-x64.zip -R NathanNeurotic/PS2-Servers
Report a false positive to your vendor
Vendor reports are what actually clear a detection for everyone. Record the SHA-256 of your download (above), then submit it to the detecting vendor's official false-positive form. Links can change — if one moves, search the vendor's site for "false positive" or "sample submission".
| Vendor | Submission portal |
|---|---|
| Microsoft Defender / SmartScreen | microsoft.com/en-us/wdsi/filesubmission |
| Avast / AVG (Gen) | avast.com/false-positive-file-form.php |
| Bitdefender | bitdefender.com consumer false-positive form |
| Kaspersky | opentip.kaspersky.com |
| ESET | support.eset.com sample submission |
| Malwarebytes | malwarebytes.com/false-positive |
| Any / multi-engine | virustotal.com — paste the SHA-256 or upload the file |
Current project position
I take antivirus reports seriously. The detections are being treated as false-positive candidates because the software’s behavior matches its documented purpose, the project is open source, and the release artifacts are identifiable by hash.
I am not asking users to blindly ignore their security software. I am asking that the report be evaluated against the actual source code, documented behavior, published hashes, and release provenance instead of assuming that a generic heuristic label is a confirmed malware verdict.
If a vendor identifies a specific malicious behavior, compromised dependency, or reproducible security issue, I will address it directly. If the vendor confirms the file is clean, I will update the release notes accordingly.