LizardByte
AV detected Sunshine as threat
Is there an existing issue for this?
- [x] I have searched the existing issues
Is your issue described in the documentation?
- [x] I have read the documentation
Is your issue present in the latest beta/pre-release?
This issue is present in the latest pre-release
Describe the Bug
Windows Defender labels the latest pre-release as a Trojan:Script/Wacatac.H!ml taking it into virus total, I get this where its labeled FileRepMalware
compared to the stable release virus total
Expected Behavior
No response
Additional Context
No response
Host Operating System
Windows
Operating System Version
24H2
Architecture
amd64/x86_64
Sunshine commit or version
v2025.609.163957
Package
Windows - installer (recommended)
GPU Type
NVIDIA
GPU Model
RTX 4070 Ti Super
GPU Driver/Mesa Version
566.36
Capture Method
None
Config
Apps
Relevant log output
N/A
I am getting the same, and with latest release the virustotal is better, but still not completely squeaky clean.
I'm assuming it's a false positive (I've been on the wrong end of these in the past as a fellow dev and know how "viral" a single false positive can be amongst the reporting of AV services, ironic really) but some reassurance from the devs about what may have triggered this in that release would be nice.
EDIT: May be linked to this service provider updating their dbs, unsure:
https://live.paloaltonetworks.com/t5/virustotal/false-positive-detection-generic-ml-sunshine/td-p/1065925
Someone on discord mentioned that Wacatac is basically a scam by Microsoft to try to get small developers to pony up and buy certificates for code signing.
There isn't very much information about what it is on Microsoft's page: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FWacatac.H!ml&msockid=3b67194a59626b0529cc0c0458046abd
I very much appreciate the reassurance.
To back up what the dev said, I do both OSS work (mod dlls for KSP and other games, see my github profile) and commercial work for my job at a small court reporting firm. At the firm, we have a code signing cert, but they are NOT easy to attain. I've never had my work software flagged but my OSS mods get flagged semi-regularly for reasons like "hasn't been downloaded enough." It is pretty much a mild mannered extortion racket on smaller devs.
So yeah, your explanation 100% tracks. Thanks anyways.
The "Wacatac" flag is not really worrying... the bad part is that when you scan with virus scanner, a couple of vendors flag it as a miner also.. and this wasn't the case with the older versions.
At this point I wonder if we're being sabotaged, because a few days ago there was 1 or 2 listed.
Copying some notes from my duplicate bug:
Here's the latest stable: https://www.virustotal.com/gui/file/c38e13fdc999cd1124e31ce66349891c4502425cd9154d362ff434722e27ebfc
Here's the latest pre-release: https://www.virustotal.com/gui/file/c38e13fdc999cd1124e31ce66349891c4502425cd9154d362ff434722e27ebfc
Older versions, such as v2025.122.141614 do not exhibit this problem. Currently 18/71 anti-viruses are flagging it and the number has increased from a few hours ago.
At this point I wonder if we're being sabotaged, because a few days ago there was 1 or 2 listed.
Sabotaged by whom exactly? Also, there were 7-8 of detections for a weeks based on the pre-releases… with the current stable release the number is 20 right now… The stable version from January had 1-2 detections…
I looked at this just last week and it was only wacatac that stood out.
The number jumped since we "released", even though it's the exact same file as the pre-release. We don't re-compile for a release, we just uncheck "pre-release" in the GitHub.
It has even jumped since an hour ago, which honestly doesn't make logical sense. If we aren't being sabotaged, then the only explanation I can think of is that AV software doesn't really work as you think it does... and it just goes based of a type of user trust score. Since this is now being downloaded in mass the AVs are freaking out because they haven't seen these files before. Maybe?
Anyway, Sunshine is developed completely in the open including our build pipeline. You're all free to analyze it for anything malicious if you feel the need.
I looked at this just last week and it was only wacatac that stood out.
The number jumped since we "released", even though it's the exact same file as the pre-release. We don't re-compile for a release, we just uncheck "pre-release" in the GitHub.
It has even jumped since an hour ago, which honestly doesn't make logical sense.
Anti-viruses work on heuristics and are not 100% accurate. This is probably a side effect of something else that is malicious that does something similar to what this installer is doing. Hence, the others are starting to "pick it up".
Idk, 20/72 seems really aggressive. Could it be because of some updates on the dependencies?
Maybe new interoperability features (e.g., accessing the clipboard)? A lot of things that remote access software do is also done by people creating RATs and other malware.
I looked at this just last week and it was only wacatac that stood out.
The number jumped since we "released", even though it's the exact same file as the pre-release. We don't re-compile for a release, we just uncheck "pre-release" in the GitHub.
It has even jumped since an hour ago, which honestly doesn't make logical sense.
Just a vague guess but an explanation for the jump might be that people having these AV engines installed now receive the updated sunshine as regular release update while the pre-release version might not be that popular and thus not reaching said users/systems in a broad mass with their AVs maybe doing some ML stuff. "Sane" AV companies probably offer a way to reach out to them in regards of reporting false positives so they can fix their signatures and/or figure out what the actual problem is they have found or claim to have detected.
Symantec: https://symsubmit.symantec.com/ Fortinet: https://www.fortiguard.com/faq/antivirus-contact
"and it just goes based of a type of user trust score. "
As I mentioned earlier, I have experienced this on the Kopernicus Project, which is just an innocent dll mod for Kerbal Space Programs Planetarium. When a new release drops AV vendors suddenly go nuts until it gets reviewed and approved, or something.
I don't have the ability to codesign there so I just tell users to report it as a "good file" to their vendors shrugs
To echo here some of the things discussed in the Discord, the worst part about all these anti-virus stuff is that the vast majority of them are just a "web of trust" and rarely do any kind of manual auditing, so they flag everything new as a threat, because FUD is cheaper than lawyers if it turns out to be a real threat.
Ok rant aside, I ran the latest release yesterday through Virustotal and it came out clean, so I'm fairly confused.
To echo here some of the things discussed in the Discord, the worst part about all these anti-virus stuff is that the vast majority of them are just a "web of trust" and rarely do any kind of manual auditing, so they flag everything new as a threat, because FUD is cheaper than lawyers if it turns out to be a real threat.
Ok rant aside, I ran the latest release yesterday through Virustotal and it came out clean, so I'm fairly confused.
Do you even know how to scan with VirusTotal? This is the latest stable version scanned
VT does have an analyze URL option, but I'm not sure that downloads the files that lives that those URLs. Their website should probably be more clear about what it does and doesn't do.
VT does have an analyze URL option, but I'm not sure that downloads the files that lives that those URLs. Their website should probably be more clear about what it does and doesn't do.
It doesn't. I put the URLs of the ones from yesterday that were being flagged when downloaded and they mostly came up clean.
My AV detects "A Variant Of Win64/CoinMiner_AGen.AM" in the windows-installer for the latest release (v2025.628.4510). This isn't the case with older releases. Has anyone had a similar experience, where the windows-installer.exe or portable version is infected with cryptomining malware? This is what VT says: https://www.virustotal.com/gui/file/eb41bbf4a1e154442792299981be9bee5c34ae77a9cf51bc81bbda5525d9858a
My AV (Carbon Black Could) also identified the latest release (v2025.628.4510) as Wacatac and suspected malware and blocked it. Will there any steps be taken from the Sunshine developer community to avoid the client being treated as malware by AV programs with a potential revised release?
Will there any steps be taken from the Sunshine developer
What do you propose that hasn't already been mentioned earlier in this issue?
What do you propose that hasn't already been mentioned earlier in this issue?
As a user with zero developer knowledge, I would highly appreciate an updated release, which is not treated as malware by AV programs (similar to previous releases). I am sorry if this is already planned and I missed it.
I am aware that I can only offer a user perspective and unfortunately cannot contribute anything to the development - including the appraisal whether this even possible with reasonable effort.
@hamtidamti-onthewall I suggest you read the above comments. There is nothing we can really do that will tell your AV provider to trust the files, that is basically up to the users.
@hamtidamti-onthewall I suggest you read the above comments. There is nothing we can really do that will tell your AV provider to trust the files, that is basically up to the users.
This, pretty much. The only option is to get a code signing cert (expensive), or have someone else (a sponsor essentially) look over your code and sign it with one. These are expensive so probably only the latter could work, and that would mean making this project less independent. @ReenigneArcher if you are interested in going that route, a former employer of mine, techpowerup.com, has been known to sponsor projects and sign well written code for some gaming related projects (which this falls into the category of). They are the authors of GPU-Z so not entirely unknown. If you'd like me to reach out to them for you (I have a pretty direct line to w1zzard, the owner), just say so. They are generally reasonable and just request a small logo somewhere (plus reviewing your code but that's just common sense). I don't know if that's even an option though, as this project IS FOSS software and I don't know your licensing obligations. In the end, as project head, that's probably fully in your court. Just making you aware of a potential option.
We now have automated VirusTotal scans with every release/pre-release.
This is the latest pre-release: https://www.virustotal.com/gui/file/d073d3182027091e807e7bd773b91f2a69085ccbda8d5fa6117d9dacbdfd71e7
Only 4 flagged it, and virtually no changes to the code... kind of proves the AVs are garbage.
You can see the results of all our release assets at the bottom of every release going forward.
It's also interesting that none of the Linux packages are flagged for anything.
These are the current sigma rules being detected by VT in the new pre-release.
- downloading vigembus installer, obviously not malicious as this is a dependency on Windows (also it's optional)... perhaps we can bundle it directly in our installer
- piping command output to find, also in gamepad installer script... would not be necessary if we bundle directly
- making any http requests, also in the gamepad installer script... also would not be necessary if we bundle directly
- creating a hidden powershell process, also in the gamepad installer script... this would still be required... perhaps having the entire script be powershell would remove this flag... I have been wanted to convert the scripts over from bat anyway
Everything identified is in this file: https://github.com/LizardByte/Sunshine/blob/master/src_assets/windows/misc/gamepad/install-gamepad.bat
None of these are new or even modified with the latest release, but I will start looking into an alternative. We probably can't bundle the vigembus installer directly as it likely has more internet connections than we do which may increase the likelihood of getting more flags.