How to check if a player has a Localscript

Hello! I am currently making a localscript based anticheat script to use in my games. I have 2 different scripts, 1 for the main exploit and 1 for checking if the main one is deleted/disabled or not. These two scripts check eachother so if you delete one you get kicked. I’m wondering if it would be possible to delete both of them simultaneously so you don’t get kicked. This would be my first question.

When I tried it myself in studio, deleting both of them at the same time ended up getting me kicked. However, I heard people saying that this wouldn’t work and that I shouldn’t trust the client. So I came up with a solution to check if the localscript exists through a serverside script. The problem is, I tried checking all players localscripts using a for i,v inside a while loop, and kicked the player if a localscript with the original name couldn’t be found. This didn’t work for some reason. This would be my second question, how can I successfully do such a thing?

I searched this a lot in google and in here and I couldn’t find any topic about it. I checked anti cheat posts and all I could find was some people claiming you couldn’t do such a thing and some of them claiming you could, without posting an actual script.

I know this is just a wall of long text but I don’t know how else I can describe this. Feel free to ask any questions if you find this post confusing. Thank you.

What they are saying about “Don’t trust the client” is entirely true.

Think of any script on the client as something that can be edited.

I recommend you put any anti exploit script into server script service as this isn’t replicated onto the client.

You can disable scripts without deleting (all localscripts simultaneously) and server won’t know.

It’s also important to know that most hacks exploit core (coregui, etc) so you can’t “detect” it this way.

Thanks for the reply, I am aware of the fact that they can disable it, so I did include a check for disabling too. Also, this anti cheat is not advanced and all I am aiming is to stop trolls which use btools/fly/FE God and jump/speed.

It is highly recommended that you secure the server-end of your scripts with security and not focus on the client-side as exploiters can easily disable it and mess with the server if done incorrectly.

They can disable ALL localscripts (and this doesn’t replicate to server) so no way to check

Oh, I didn’t know such a thing was possible. But doing that would be impractical because the game would be broken in most cases wouldn’t it?

This is good. Check changes in position over time for speed/tp and other game-specific server checks.

I think you are going about this in the wrong way because the player has full control over their client. This means they can control remote traffic coming in and out of the client, remove scrips/objects and from my understanding read and modify LocalScrips on the client. This means the exploiter can remove the part in your LocalScript that checks if the other LocalScript has been removed. You should read over both of these tutorials because they explain how exploits work and what you can do to prevent them.

I wouldn’t say there are any edge cases where you should run anti-exploit scrips on the client because you don’t know who is trying to exploit your game. Some script kiddies could get their hands on some harmful exploits and some people that know what they are doing with exploits will be able to get through your client sides checks ‘easily’.

You should always run you anti-exploit scrips on the server because it is impossible for an exploiter to access server sided code. You should secure your remote and run any sort of check directly from the server.