Is it reliable to use client logs for anti-cheats?

In some exploits, they usually warn, or print when their exploit/script is injected, which people can try to counter it by using a script to scan for certain words in the player’s client.

Finding certain words in a string, would possibly work for anti cheats, but I’m not sure if a player can be falsely caught cheating.

2 Likes

With a specific enough check such as “exploit123 has been loaded!”, you wouldn’t see that printed/warned if the player was not cheating, so It would be safe to assume that user is cheating, and issue a punishment.

2 Likes

This is possible, but should not be the main thing you rely on. A word of advice I would give is to make sure you do not accidentally detect usernames as exploits. Detection for an exploit called ‘Dex’ for example would detect any user called ‘Dexter’.

If this is an attempt to prevent widespread exploiting in your game, do not rely on any clientside checks as your core anti exploit, that should almost entirely be done server side. Clientside detection is valuable as an extra layer of protection, but should not be your main method of prevention.

I see, didn’t realize about usernames that could start with those certain words. But, how would the script check on the username, since it’s only checking on the client?

This could work, but the exploiter can just delete the script and then use their exploits. I don’t usually recommend doing these sorts of things because, like @SteadyOn said, there could be false positives.

Another similar “anti-exploit” that I’ve seen one or two games use is to detect when they open up the developer console and then freeze/kick them. Never do this. It is horrible UX and your users will not thank you if they accidentally hit F9. It would become like the new Alt+F4 in chat where a user tells you to press it.

2 Likes

Can’t I just rename the script with an unknown letter/symbol to prevent them from finding it?

Nothing client-sided is reliable. Battling the client on their own machine is a war of attrition that you will lose. Focus on securing your game’s server-side and preventing the client from leveraging any of your systems through validation and such. This should be an absolute first when it comes to fighting against system manipulation, before you think of anything else.

Client-side anti-exploit is extraneous and is something you can look into after the core of your game, which is the server, is secure from most attempts at propagating unexpected changes.

4 Likes

@ScriptingSupport beat me to what I was about to say by a minute. The client is extremely untrustworthy for exploit detection. I highly recommend doing what ScriptingSupport suggested by sanity checking your remotes and finding out what exploiters are exactly doing in your game to patch those exploits.

No, you can’t. If it’s a client script it can be deleted.

Useless. They can just hookfunction print to rconsoleinfo which is a terminal completely isolated from the actual roblox client its self.

Doing this would ultimately not stop anything, and just introduce many false positives into your game.

1 Like