We have detected and will be removing assets from the Marketplace which may contain potentially malicious scripts. We will be initiating a scrub to remove the assets over the next few days. All experiences will continue to function normally, but a minority of developers may notice missing assets after the scrub.
If you have any concerns over the assets in your projects, our recommendation is to take the following steps:
Locate or insert the Asset
Open Find All (CTRL+Shift+F)
Search “Require”
Look for suspicious lines of code that include statements such as require(ASSETID)
These lines may be hidden with random characters, spaces, or line breaks
Verify that the require statement is intended
Example of suspicious code
Once the assets have been removed, if your place file contained one, you will receive an error stating Unable to find module for asset id … Does the asset have a ModuleScript named "MainModule"?
It’s great to see malicious assets get removed from the marketplace, but I think that a solution for preventing this sort of thing from happening in the future would be better in the long run. For example, what about if the developer is informed of models that contain scripts when they shouldn’t, like a badge in the Toolbox with a Script icon on it? Is any sort of solution to prevent these from being uploaded and placed in games by developers in the future going to be implemented?
This is a pretty good update, and I was wondering when roblox would get around to removing stuff like this.
I know this is a small thing in a large haystack, but will you be removing RoSync linkers? As it’s something a lot of exploiters use, when backdooring a game/exploiting.
Also, should we expect this to be a normal occurrence in future? I honestly wouldn’t mind if the marketplace got a bit more moderation attention.
Wooo🎉! No more free model “virus scripts”, finally the toolbox can be free of the curse.
Really glad that free models are being moderated, and maybe people will start using them for normal now. All the plugin makers who made backdoor scanners are going to be relatively defunct now
Couldnt the bots/people creating these malicious scripts easily adapt to the change by naming their scripts something LESS suspicious?
Like just “Script”, or “ColorChangeScript”
What would happen if a model which was incorrectly identified to contain malicious code was deleted? Would its previous versions be recoverable via the “Version History” tab? If so, how would this prevent users who posted malicious models from reverting the version?
Will this action only be taken for publicly available models at the time of the scrub (which have “Allow Copying” enabled through its settings) or will private models which have previously been placed on-sale be scrubbed, too? If it’s the former, what would prevent users from regularly toggling that setting to prevent malicious models from being deleted?
It probably looks at the source code, checking to see if it requires a malicious module. It might even look at the source of required modules and see if that’s suspicious (like through obfuscation)
It might even implement a fingerprinting method like an anti-virus (but that might be too advanced currently)
Could we get some insight as to how Roblox is intending to determine what is and isn’t malicious? Mass deletions like this are notorious for catching false flags and if there’s moderation action attached to the removal of these assets that could not go well for many developers.
Great to see action being taken on bad actors’ assets. Hope this gets done for the catalog eventually too, clothing designers would surely appreciate security on their items.
Now that this has happened, I assume exploiters will learn from this and start modifying their viruses to look more normal looking, instead of doing something like local Key = getfenv(string.reverse(eriuqer)[548235438543])
to transition to more of normality, then obscurity.
Each bit of information given to the community about how they’re preventing malicious assets from being uploaded is a clue for those uploading these assets to get around it. They can only reveal so much before the entire thing becomes pointless.
Some more information about how these assets are identified and whether or not users publishing malicious assets will receive moderation action would be appreciated (e.g. users mistakenly publishing infected assets versus malicious users hosting the target malicious modules).
Automated removal of developer work is always scary business and this announcement is way too vague to ease concerns.
This is a great start to eliminating malicious scripts on the toolbox, and something that has been long-awaited. I’m curious as to if this wipe will also affect malicious plugins, as a cleanup of the plugins library page is also extremely necessary at the moment, with malicious real-looking copies of popular plugins constantly taking over this page along with the support team failing to realize that this is a problem.
Glad to see some sort of acknowledgement and action being taken on these malicious assets and I’m interested to see how Roblox can continue tackling malicious assets in future.
does this have something to do with roblox removing any scripts from infected models, or maybe i probably didn’t understand what the topic is saying since it mentioned some module stuff that i don’t know about since i’m not a programmer?
if it’s about roblox removing infected scripts on models, i think this a good thing since they harm games and bring in viruses
Is the process automated? or will it be at the near future? most of the people making them will probably just re-upload their assets and find better ways to disguise them as real models.
This PSA is very important for developers struggling with recent attacks, however I find it ironic how Private Modules were removed some years ago and only after their removal have major viruses/issues with modules arisen, despite the reasoning behind the removal being a security measure to begin with.
