How should I improve my anti-exploit?

A Client can’t bypass a a Kick() from the Server in any way.

Instead of kicking them, you should ban because if your kicked from the game, you can just leave and rejoin.

What about false positives? Character limit to brrrt

Never rely on listening to Humanoid property changes. They will not replicate on the server, so scripts cannot detect what you’re trying to detect. And if you were trying to detect it on a LocalScript, it could just be manipulated not to work.

There a various somewhat reliable server-sided workarounds to physical exploits like this - Detecting unusual jump height, walk speed, flying, no-clip, etc. You can search up existing scripts for these.

I wanted to clarify that only make the anti exploit you actually need in your game(s). Different games need different anti exploits (If you’re just making this for practice then you can ignore this part).

If you replace a :Kick() with a RemoteEvent call that signals on the server to kick you, could this bypass their kick hooking function? Would it nullify any global ‘anti-kick scripts’?

1 Like

It’s still possible to hook remote events. However it will spend them a bit more time and will stop starter exploiters. Btw this post is 22 days old

1 Like

Dude, they can just do a for loop through all players and fire the remote event to everyone -__-

Nah you can easily stop that from occuring, like using the first parameter of the FireServer() function, which is always the player who fired it. Meaning the exploiter can only kick themselves.

This is completely useless for 2 reasons.

  1. If this is on the client it can easily be bypassed, anyone could do it.

  2. If this is the server, the client can send false states (Running, Jumping, etc.)

Anti-Exploits really aren’t needed apart from sanity checks (Absolutely important), but for basic checks this is the way to go: A Guide to Making Proper Anti-Exploits

1 Like

can easily get detected by checking if connections is connected.

Client can easily spoof walkspeed and jumpPower values. I don’t recommend doing client-side checks for anti-exploit related matters.

A client-side anti-cheat catches the in-experienced exploiters that download free exploits or mobile exploits. It’s a good idea to develop one if you already have a server-side anti-cheat.

There’s no point to develop one if you already have a server-side anti-cheat?? Most exploiters already use scripts that easily spoof and bypass client-sided anti-cheats.

tbh most exploiters use basic scripts that don’t come with any bypasses also there is a point in making a client sided anti-cheat and that point is to slow down experienced exploiters and stop your average skid

You’re mistaken. The top 10%, who actually know what they’re doing, are the ones making the scripts. There are a lot of scripts that are capable of bypassing these “client-sided anti-cheats” easily.
And if we’re going by what you say, are we just going to ignore the experienced exploiters then? Again I repeat, do not waste your time on some client sided anti-cheat that’ll get bypassed easily.

Yeah there are some people capable of bypassing client-sided anti-cheats with ease but just like a serversided anti-cheat if it’s poorly coded it can be bypassed with ease, there are ways to detect what exploiters are doing such as hooking (but you probably don’t believe me anyway).

A client-side anticheat will catch exploiters. Will it catch all 100%? No. Will an experienced exploiter create a bypass that’ll get mass-used by exploiters over 13? Yes. Will it still catch exploiters that don’t know what they’re doing? Yes.

A client-side anticheat can be as easy as looping a RemoteEvent call that sends client WalkSpeed and checking it on the server. There’s no time to be wasted.

Any addition of anticheat (client stuff, server stuff, honeypots, sanity checks, etc, etc) is good if it doesn’t interfere with your workflow.

1 Like

do not waste your time on some client sided anti cheat that’ll get bypassed easily
Amazing, proven point. Make an client sided anti cheat if you know what you’re doing.

Everytime i hear somebody say “dont develop client-sided anti-exploit” the first thing that comes up in my mind is a closeted exploiter

this is an interesting theory lol