Public antivirus detection statement

PS2 Servers antivirus detection statement

A plain-language explanation of current antivirus detections, expected network behavior, verification options, and the project’s false-positive review position.

PS2 Servers is an open-source PlayStation 2 homebrew utility. Its purpose is to let Open PS2 Loader and compatible forks load files from a PC using local-network server modes such as SMBv1/RiptOPL, UDPFS, and UDPBD.

Important: The Windows build is currently unsigned and provides local network-server behavior by design. Those facts can cause heuristic antivirus detections even when the software is legitimate.

A detection should be taken seriously, but a generic or heuristic label is not automatically proof of malicious intent or a confirmed malware family.

Release files and their hashes

Release artifacts are rebuilt for every release, so this page deliberately does not hard-code a hash that would silently go stale. The authoritative SHA-256 for every asset is published with each release:

Compare the file you downloaded against the value published on that release's page — see Verification below.

What the program does

PS2 Servers provides user-controlled local server modes for PS2 homebrew use:

Firewall rules created by the application use the name prefix PS2 Servers -. The app can also remove its own firewall rules.

What the program does not do

PS2 Servers does not contain or intentionally perform any of the following behavior:

The SMB mode uses the program’s own SMB/CIFS implementation for OPL compatibility. It does not require enabling Windows’ built-in SMB1 optional feature.

Why some antivirus engines may detect it

The current Windows executable has several characteristics that can cause heuristic or machine-learning detections even when the software is legitimate:

  1. It is unsigned.
  2. It is distributed as a small independent project.
  3. It starts local network services by design, including UDP broadcast for PS2 auto-discovery.
  4. It may request firewall-rule changes after user consent, via a short hidden PowerShell command (without -ExecutionPolicy Bypass).
  5. It includes bundled runtime/application content.
  6. The single-file build self-extracts to a temporary folder on launch and re-executes itself to run a server with the embedded interpreter — a generic packer/dropper heuristic. The folder download avoids this self-extraction step.
  7. It is not yet a widely reputation-established Windows binary.
On Windows, prefer the standalone folder build (PS2Servers-windows-x64-folder.zip): the same app with no self-extracting wrapper, which comes up clean on antivirus. (PS2Servers-linux-x64-folder.tar.gz is the Linux equivalent.) The single-file build is the one flagged by heuristics.

These factors can trigger generic labels such as Trojan.Generic, Malware.AI, Suspicious, Evo-gen, Susgen, Riskware, or similar names. Those names are not necessarily specific claims that the file belongs to a known malware family. In many cases, they indicate a generic, heuristic, AI/ML, reputation, or suspicious-behavior classification.

Response to current detection types

Exact vendor names and labels may change as antivirus databases update. The table below explains the project’s response to the detection classes currently relevant to PS2 Servers.

Detection type Public response
Generic Trojan / Trojan.Generic / Trojan.Win32.Generic This is a broad classification and does not identify a specific malicious behavior in PS2 Servers. The app’s server behavior is intentional and limited to user-selected local PS2 homebrew file serving.
AI / ML / MachineLearning / Malware.AI This indicates an automated model-based classification. The likely triggers are unsigned distribution, bundled executable packaging, and local server/firewall behavior. The source code and expected behavior are public for review.
Evo-gen / Gen / Gen:Variant / Heur This appears to be a generic evolutionary or heuristic classification rather than a specific malware-family identification. The file has been or will be submitted to the detecting vendor as a false positive.
Susgen / Suspicious / malicious-confidence label This appears to be a suspicion-based classification. PS2 Servers does perform local network-server activity, but that activity is the documented purpose of the program. It is not hidden, persistent, or unrelated to the user-facing function.
Riskware / HackTool / PUA / PUP PS2 Servers is not adware or bundled unwanted software. It is a user-launched local utility. Any elevated action is limited to firewall management or advanced port behavior and is disclosed to the user.
Network-related warning Network activity is expected. The program exists to serve PS2 game and homebrew files from a PC to a PlayStation 2 over the local network. This is local server behavior, not unauthorized remote access.
URL / website reputation warning The project is distributed from its public GitHub repository and release pages. Any URL reputation issue should be reviewed as a false positive against the repository or release URL.

Verification options for users

Users who want the lowest-trust path do not need to rely only on the packaged executable.

  1. Inspect the public source code.
  2. Compare the downloaded file hash against the published SHA-256.
  3. Verify GitHub build provenance where artifact attestations are available.
  4. Run from source instead of using the packaged Windows executable.
  5. Wait for antivirus vendor false-positive reviews to complete.

PowerShell hash verification

Get-FileHash .\PS2Servers-windows-x64.zip -Algorithm SHA256

Where to find the expected hash

Do not trust a hash printed on this page. Compare your download against the checksum published on the release you downloaded: SHA256SUMS.txt (automatic/main releases) or the per-asset <asset>.sha256.txt file (tagged releases). On a main release you can also verify build provenance with the GitHub CLI:

gh attestation verify PS2Servers-windows-x64.zip -R NathanNeurotic/PS2-Servers

Report a false positive to your vendor

Vendor reports are what actually clear a detection for everyone. Record the SHA-256 of your download (above), then submit it to the detecting vendor's official false-positive form. Links can change — if one moves, search the vendor's site for "false positive" or "sample submission".

VendorSubmission portal
Microsoft Defender / SmartScreenmicrosoft.com/en-us/wdsi/filesubmission
Avast / AVG (Gen)avast.com/false-positive-file-form.php
Bitdefenderbitdefender.com consumer false-positive form
Kasperskyopentip.kaspersky.com
ESETsupport.eset.com sample submission
Malwarebytesmalwarebytes.com/false-positive
Any / multi-enginevirustotal.com — paste the SHA-256 or upload the file

Current project position

I take antivirus reports seriously. The detections are being treated as false-positive candidates because the software’s behavior matches its documented purpose, the project is open source, and the release artifacts are identifiable by hash.

I am not asking users to blindly ignore their security software. I am asking that the report be evaluated against the actual source code, documented behavior, published hashes, and release provenance instead of assuming that a generic heuristic label is a confirmed malware verdict.

If a vendor identifies a specific malicious behavior, compromised dependency, or reproducible security issue, I will address it directly. If the vendor confirms the file is clean, I will update the release notes accordingly.