This is shaky for me. The fact that the word “potentially” was used means there is undoubtedly going to be some false positives here which brings up the topic of detection method. Is this some sort of automated thing or is it just manual flagging that’s been sitting for a while and things are just now getting deleted? I cant imagine this would work against more sophisticated backdoors and malicious scripts that are obfuscated.
I don’t think this is as exciting of an update as people think it is because it can only target old and overused viruses without actually sandboxing the code and getting the output which seems out of the scope of Roblox’s detection vectors. Nice to see some of the lower level stuff getting taken down but the major issue of backdooring still isn’t solved. Even if I’m completely wrong here and major backdoors do get taken down they will 100% be back up within the week.
This seems like a great idea, but as others have pointed out, the consequences of this action are unclear. Are these simply being “soft-removed”, so to speak, where assets will simply be pulled off the market/deleted, or will anyone having uploaded assets affected be punished?
Will there be a way to appeal/contest the takedown of assets in the case of a false positive or something of the like? This also leaves out whether private assets will be targeted, because if so that seems like a recipe for false deletion or unecessary deletion.
thank god, this was a long needed action
edit: will models which are spammed in the toolbox also be removed as well
(i search up some models for refrences to make mine and then i scroll down a bit and its just spammed with the exact same model from the exact same person with the exact same name)
This is a great thing Roblox is doing for developers who are using or learning from free models, I saw a realistic tree which contained a malicious script inside, from there I discovered a large group of people who hack Roblox games and other popular games, this is great however I recommend investigating these malicious groups, I fear they are the reason many games have been exploited in the past.
Searching for “require” in your scripts works sometimes, but searching “getfenv” as well is a good idea. Many viruses use that workaround to avoid being found.
I appreciate that we are doing it. This is one of the more important steps for us developers to check for backdoors and free models.
I’m also thinking on the side, would the concept of " check when the code is uploaded to ROBLOX marketplace to determine if it is malicious or not" work and may be introduced in the future??
However I REALLY hope this doesn’t cause any moderation actions to users who uploaded these models. Most of these are new developers who re-uploaded a model, or made their own models with other free-models and didn’t understand that there were viruses in them.
I’ve seen some builds that users have made with other creator’s models in them that just contained sketchy scripts and “motor lag items”.
It’s good to see that the Roblox dev team isn’t completely deaf to the community for once in a blue moon, but it’s really disappointing that instead of actually taking action (eg hiring a moderation team to casually browse through random module scripts being uploaded or to make sure the model/plugin front page has no stolen/malicious content, or even just reading reports once in a while) they’re just doing a hackjob shotgun attempt and (from what i can gather by reading this) are just nuking anything using require() or getfenv() which is merely a short term bandaid attempt as others have stated, likely already evaded by the time this post went up.
Heck, force disabling third party requires + third party purchases was a bandaid patch in the first place, and considering that anyone who falls for these malicious models/plugins will end up enabling them and complaining about the viruses anyway.
All if this is not even including the amount of time it took for them to even admit this is an issue in the first place, and the best they can do until this patch is released is to just tell users to manually remove the code the same way the community has been sharing for ages. This only stops the models with viruses in them, and not the plugins which have the power to continually add/replace code as they please which makes the “just remove the code bro” thing a pointless waste of energy.
Credit where it’s due though, at least they tried, which deserves a standing ovation for the impossibly low standards for Roblox’s care for the community
Now it’s just a matter of months/years until they do something about the bots that are uploading this malicious content in the first place (since patching the code merely makes them find a workaround) but considering the state of the clothing catalog they couldn’t care less about stopping bots.
Hopefully this doesn’t effect some of my scripts. None of them are malicious or event look malicious but some of the domains that I use for my player visit tracking and analytics kinda look suspicious ngl.
Thanks Roblox will this Scrub be effecting Malicious plugins as well? since people who have joined me in TC have had a plugin which has inserted malicious scripts into the game.
The marketplace they are referring to is the Toolbox. This mainly targets Models and Plugins. The catalog will not be affected by the purge of malicious assets.
Why do you think this? I’m sure the engineers have the metrics and stats to determine which percentage of games could be affected to a good level a certainty compared to an average user.