This project is now deprecated. The plugin and website still work, however I no longer host the website. So if you want to use this, you’ll need to clone it from github and run the website yourself and change the request location in the plugin.
Plugin (plugin source)
Rovird is an extremely powerful virus detector. Rovird uses an open source third party api to analyze source code. This analysis includes resolving all external requires. That’s right, Rovird is capable of resolving
require(id) and analyzing a module directly off of the roblox library. This already makes Rovird more powerful than existing plugins.
There are multiple ways to utilize the Rovird’s API. I’ll go over the 3 that may actually happen.
Using the plugin is obviously the easiest way to scan scripts in your game. With just a few clicks you can scan your entire game for possible viruses, resolve all external requires, regardless of layer.
First, you will need to download the plugin from here. Once you have it on your studio, you’ll see a new category in your plugin toolbar which will look like this:
When you first install the plugin, it may ask for script injection. Though Rovird does not modify scripts in any way, plugins need script injection in order to read source code. If Roblox releases a separate read/write permission for plugins to read source that’d be even better for protection, but for now script injection will be required.
When you click on this button, you’ll be greeted with a UI. There’s currently 5 buttons:
- Send Job
- Toggle DNC
- List DNC
In order to actually scan your game, you will need to click on Send Job. The first time you do, it might ask you to allow HttpService to send requests to
https://rovird.xyz. If it does not say that url (and you haven’t changed it in options), uninstall the plugin as it’s a clone.
Once you allow HttpService from the plugin, and you click Send Job, results will turn gray. While the button is gray, you cannot click it. Eventually it will either turn green or red. If it turns green, you can click on it to see results. If it turns red, you’ll see an error message in your console. Report this to me so I can fix it, if I can!
Once results turns green, you may click it.
When going through results you will see a list item for every script in your game and all external scripts and any scripts they require. This may be overwhelming. Because of this, you can see quick stats on the right:
These quick stats include the total amount of scripts scanned, and breaks it into internal and external scripts. Internal scripts are the scripts actually in your game. External scripts are any scripts that your scripts require by id (
require(id)). And below that is the total flags count of all the scripts.
You may want to filter the results to see only flags, you can do that by clicking on the flag icon above the quick stats. If your game’s scripts have any flags they’ll show in the UI once you click that icon:
From here, you can left click on any of these buttons to see all of the flags in the script. You can right click to open the script. If the script is external, it will print a link to the library in the console that you can go to. When you left click it for flags, you’ll get another page that looks similar and shows all of the flags:
If you left click on any of these, you will open the script and scroll to the line the flag is on. If the script is external, it will print the link to the console along with the line is the flag is on. You can analyze these external scripts using a tool like BTRoblox.
Because Virus Detectors are imperfect, Rovird provides you with a whitelist. To add anything to it, select it in the workspace and click on the “Toggle DNC” button. This will add the scripts to the whitelist. The do not check list is recursive. So no descendants of an item on do not check are scanned.
You can check your do not check list by clicking on “List DNC.”
If you accidentally added a script, or a virus tried to add it to the list, you can right click on the item in the “List DNC.” If you left click, then it will select the instance in workspace.
If you click options, you’ll be able to change the request URL. You may want to do this if you self host it. A trailing slash is not required, it will add one for you if you don’t include it. Make sure you press enter after putting the new URL in, or it won’t save your changes. Also, if you don’t have a domain, you include the port here, i.e.
If you don’t want to utilize the plugin, you can use the website over at https://rovird.xyz/. This site is the host of the api the plugin uses, so the results will be the same. You have 2 options when using the site, a file upload of rbxm or rbxmx, or you can give it an asset id to check. The asset must be free and on sale. If the id meets those criteria, it can be anything, a model, a script, plugin, etc.
There’s a video on how to use it here:
Because this is an open source project, anyone can contribute to it, and anyone can clone the repository and host it themselves. All I ask is that you abide by the license which is MIT. Basically, you can do whatever you want with no warranty or liability, as long as you keep a copy of the original license in there.
You can either clone the repo directly, or download it as a zip. You will need v16 of node to run this program. Once you have it downloaded, run
npm install to install the dependencies. Then you can start it with
npm start. It will host on port 6750 by default, but you can change that in settings.
If you don’t have an SSL certificate, leave developer mode on.
Once it’s running you can access it in your browser if you go to
http://localhost:6750. Where 6750 is the port you choose to host it on.
You can then go into the options on the plugin menu and set the URL to the same URL you’d use to access it. You’ll see any request get logged to the console.
vs Server Defender
Server Defender is an antivirus plugin. Let’s see how it stacks up:
Here are Server Defender’s results. This is not a virus script, but it is understandable why it’s detected. But there is an intentional virus in this place that it did not detect (I have reported the virus multiple times to roblox over the last few months, but it’s still up so I decided to test on it).
GameGuard is another virus detector. Let’s look at its results:
As you can see with basic “require” detection nearly every script is a false positive. It’s understandable, but the bloat is very apparent. When I turned require checks off I only get 3. 2 of which are predictable as they use
getfenv , however the first one is detected because of “Lil” (common obfuscation is
iliilil , etc) it’s triggered because of the string “Lily white” which is obviously a false positive. However, still no detection of the required virus without just scanning for
require by itself.
Now let’s see Rovird’s results:
The script at the top is a false positive (it’s obfuscated). However as you can see 5 other scripts are detected, 3 of them are external. This comes from a single
require(id) . That script requires a virus which in turn requires another virus (
External 2 , the number is the layer of require, 1 is
require(id) from a script in your game, 2 is
require(id) from the previous required script, etc), all of which Rovird is capable of analyzing. The script at the very bottom is a detection of a script attempting to set an item to the do not check list.
Rovird had a single false positive in this example and detected the required virus. Neither gameguard nor server defender did this, if it did they were flagged because it required something, not because the script it required was actually malicious.
As you can see, Rovird can detect what other virus detectors can’t. Due to being outsourced to an api which is more capable than roblox itself there are so many possibilities with analysis in the future including potential AI analysis and scoring!
HttpService to send the source code of scripts in your game to an api for analysis. You may view the API’s source code here and even run it for yourself and make PR’s to add new flags, etc. The code-base is still a little messy and I am working on cleaning it up, but I wanted to get it out to everyone.
Rovird keeps up to 1000 instances in memory at a time (for 10 minutes), however they are not permanently written to the disk (only external required scripts are written to the disk at all, but they are removed after being read and parsed, unless an error occurs due to downloading too many at once). In addition to this, Rovird will cache jobs for 10 minutes or until their results are requested. This means that once you get results once they are deleted from memory. The plugin itself uses an internal cache, but if you wish to make an app to interact with the api directly keep that in mind.
jobs api has a rate limit of 60 requests/minute (
jobs-status has a 120 requests/minute limit). This is not a gradual refresh, which means once you use all 60 you’ll have to wait for the reset. I’m mentioning this because rate limits means your ip is stored in memory. If you don’t make any requests to the api for 60 seconds it will be purged automatically. I may look into api keys from the website in the future for possible higher limit ones, though I’m not sure yet. Rovird’s api does not maintain or track any data persistently, it works entirely in memory.
Rovird requires modification permission to read the source of scripts. However, it does not ever set the source of the script itself. Rovird is a tool to find potential viruses, however it does not take any action for you.
Rovird will ask you to allow access to rovird.xyz. That is the correct website that the api is hosted on.
The Rovird api is run on a 48 gb ram, 24 core dedicated server. It is relatively fast at analysis, with the main cap being downloading external requires (which still doesn’t take long because it’s set up with a gigabit connection).
I’ve only the tested the api by myself which means that it was never under heavy demand. Results may vary based on how many requests it’s getting. Be respectful, don’t spam the api please!
Single hierarchies of >1 MB are currently not supported (roblox limitation). They will be supported in the future by sending the data in chunks.Switched to RequestAsync and the limit is now 20mb (server side limit, might adjust in the future)
- This is a tool that does script analysis. It is not guaranteed to work. It will have false positives, and false negatives . Be vigilant when using free models and have trusted people work for you.
- Doesn’t scan plugins yet (you can use the website for this, though)
Open source the api once code-base is cleaned up. The code is now available here ! (if you’re looking for the dump of the plugin, you can find it here )
- Better graphics
Better documentationThis page has been rewritten in a way I feel better documents how to use the plugin and the website.
- Code-based flags (right now flags are just given in english, if they are coded by a number it will be translatable easily)
- Better UX
Upload models/asset ids to the website for analysis. This is complete, you can now upload models and asset ids directly to the website at https://rovird.xyz/.
- API keys (higher limits, and more secure)
- More analysis (and better analysis, if you see a false negative, let me know so I can get to fixing it! False positives are better than false negatives!)
- Possibly AI analysis (I will need a lot of examples to train the AI on if I do this)
- Scan plugins from plugin (possible on the website, just input the asset id)
Check back in every now and then for these!
If you find any issues let me know! if you spam the website it will rate limit you, if you keep spamming you will be blocked entirely (if the api crashes and the plugin tells you it can’t connect to the server then dm me, I will respond to those faster).