PSA: Marketplace Asset Removals

The marketplace they are referring to is the Toolbox. This mainly targets Models and Plugins. The catalog will not be affected by the purge of malicious assets.

This information can help many developers that use models for the MarketPlace, thanks for this update and info of this announcement.

Why do you think this? I’m sure the engineers have the metrics and stats to determine which percentage of games could be affected to a good level a certainty compared to an average user.

Two words. “Thank goodness” I can’t tell you how much of a relief it is for new players to be able to use the toolbox like it’s supposed to. I’m really glad you are deciding to put this into effect.

Takes me back. I remember downloading as many “anti-lag” scripts as possible in 2009-2010, then wondering why the game lagged even more, leading me to repeat the process. Looking at the object tree and the scripts themselves many years later made me see these sorts of tricks in play. Same with free models with these notorious scripts hidden inside. Glad to see something done about them. It just stinks that there wasn’t another way.

1 Like

Let me try to answer some of the many questions I see here:

  1. How does Roblox determine if an asset or module containing a script is potentially malicious?
    It’s actually a combination of automated tools and human reviews. For obvious reasons, I’m not going to go into specific details.

  2. Is there anything I can do if I’m writing assets with scripts so that my scripts don’t look malicious?
    If your code is clearly not malicious it shouldn’t be mistaken for malicious code. Humans are part of our evaluation process and act as a check on automated tools. That being said, people make mistakes, too. See the next question.

  3. What if I have a module which was incorrectly identified as being malicious and it gets deleted?
    This is unlikely, but it was asked, so I’m going to recommend the following in the event it happens:

    1. Support - Roblox under moderation you can find appeal account or content, fill out the form, and wait for a response.
    2. Maybe also try to reupload your asset as a new asset and let people who consumed the old one know of the new one’s location via the dev forum.
  4. What if I was using a 3rd party asset and it got banned (see original post first)?

    1. The likeliest case here is that you inserted a malicious asset and it required a payload, and we banned the payload. There’s a Plugin named Venom that you can use to help identify some potential malicious scripts in your workspace. Backup your game first, and then you can use the panic button in that plugin to disable all the sus scripts. You’ll want to test your game and validate that it still works. Venom was written by a former Roblox engineer, and it still remains a useful tool.
    2. What if my game breaks?
      Post to the dev forum. Roblox developers are a community, and we can help each other out in these cases. Saying something beats saying nothing.

Hope these answers help.
-Mr_Purrsalot

27 Likes

I think Roblox is working on a permanent solution right now as this function has existed for a while, so I’m assuming Roblox will add an option to enable/disable third party assets and/or allow developers to add/remove whitelisted assets (these are assets that can still be required even if third party assets are disabled)

Edit: If I had to guess, if Roblox really wanted to make a HUGE dent in the Serverside community, they would make this a top priority task. The reason why this’ll make a huge dent is that 99% of all serversides are copy pasted and skidded, and these serversides mostly use require chains and/or require to their main module. Also, this won’t be permanent, as these developers can just stop using the require() function, and have the entire source code in the botted module, which means that it’ll be a pain in the ass to update on non-https enabled games

1 Like

It is a very good update! I have a doubt that how the moduleScripts will it be verified?

1 Like

There is no problem relying on free models the problem is on people who put viruses

2 Likes

its about time!

for those who do rely a lot on marketplace assets, get yourself an antivirus plugin for studio! ive been using venom and its been really good, it allows you to delete scripts from assets you take from marketplace too.

1 Like

Me and a few other people I know obfuscate some of the sensitive scripts ingame, will we be effected by this?

3 Likes

Players will definitely be safe now!

I’m still having trouble using free models, sounds, plugins etc. As they are scary and may contain malicious code.
But, as I read this announcement I started getting unworried with using models.

Roblox’s improvements are great and I’m looking forward for more future updates like this!
Thank you Roblox!
-Strongtoma

1 Like

Yes and I am not saying anything against the engineers I am sure they do have everything but still as I stated as an example ban waves it is kinda seems like the same idea (of course not the exact same) where there will be a ton of false positives.

That is my option anyways.

Oh yeah, an icon indicating a model contains any form of scripting would be nice (since some people don’t have the good habit of checking for scripts).

5 Likes

Finally, good to see Roblox is finally doing something about malicious scripts! :+1:

3 Likes

Will anything be put in place to prevent assets like these from simply being re-uploaded?

What about stolen assets?

Some stuff that developers doesn’t sell to everyone but somehow they’re able to get the map’s game THROUGH exploit like Synapse X, and sell it to everyone that needs it but didn’t ask for developers to allow selling stuff like this. since most of the stuff I’ve been searching are 100% contained with backdoor and came from Madcity, Jailbreak, Arsenal etc.

even if i didn’t know where the assets came from some roblox popular game. i got assumed for using it

1 Like

This is great, but shouldn’t you just alert game developers when a 3rd party module is required? This would let developers know that someone is requiring a module, and they would be able to remove the malicious code.

3 Likes

Wow finally, thank you for doing this, really great that this is actually happening, people now might now worry as much anymore about getting something from the marketplace.

I second this idea. Showing a warning that a 3rd party module was loaded in the dev console with the script’s full path could be very helpful in finding backdoors in potentially infected games. Sometimes rookie developers may not know how to remove these and they download ‘anti virus’ plugins only for those to be further infected with more backdoors.

3 Likes