Malicious user content causing client AV detections

In the hangout game that I program for, The Furry Island, we have had several incidents (around once a month) of users’ antivirus software (Windows Defender specifically) giving alerts and popups for a variety of malware. Judging from the fact that several of these attacks caused detections related Win95 malware, as well as common sense, it’s clear that it isn’t something being executed. However, it rightfully still scares users.

My current theory is that the malicious content being played are the boomboxes ingame, as they are the only piece of content that users should be able to play. Audios also cache on the computer, though I haven’t managed to grab the file path that the audios appear in.

My question is what I should do about this predicament - these incidents drop our player numbers drastically, and the only solution I can think of is to automatically scan files with an external server and cache the results, though this would obviously cost money to implement, and so I need help either finding a better solution or professionally complaining so that whatever is causing this can be fixed.

I might also be entirely wrong, in which case I’d like to know why this is happening and how it can be solved.

If you grab me an audio ID that does it I can check it out.

They are (likely) embedding a specific Visual Basic script into the audio. I say this because I did something similar a few months ago for discord.

When the audio is loaded roblox caches the file Windows Defender automatically flags the file regardless of extension. Not sure how they do it because I thought the audio was compressed which would destroy that information–but they seem to have figured out a way. Maybe if you pass an audio of specific quality it wont be compressed or with a specific text it will get compressed down into the flagged string.

This occurs on discord too because of discord caching the image.

I’ll embed something to log audio IDs that are played with a timestamp for the server, and whenever it happens again I can post the audio ids. Fortunately, this doesn’t seem to be something common, but that means it may be a while before I actually have the opportunity to get the IDs.

Is there any section of the audio metadata that is not removed when it is uploaded to the website? That may be the way that they are sending the audio without getting it compressed, or they may also be doing what you said and sending it in such a way that the original contents of the file are preserved.

I feel like this is something that should be considered an issue I never thought Roblox would have to start scanning images and audio for viruses but here we are, I would be a thread in #bug-reports:engine-bugs Because this is a real problem