Roblox Security Changes Break Nvidia Ansel & Vulkan Layer Support

I am sure you can understand that the reason that people are unhappy has little to do with improved security measures and a lot to do with the fact that, despite these measures, exploiting continues to grow month-over-month. Exploiters are handed out 1-day bans every few months without any alt-detection while normal players are handed out ‘enforcement bans’ for logging in at school. This has been pointed out for over a year now and despite that, we continue to lose compatibility with things like shaders while the situation does not improve.

Players would likely be more receptive and understanding of these changes if we saw improvements to cheating metrics, but knowing that your teams aren’t even allowed to issue meaningful punishments makes it hard to agree that these are beneficial security improvements.

KreekCraft stated it perfectly here: https://youtu.be/cl2__gC-EDc?t=9718

I feel like the anti-cheat has broken more things to me than it has helped me. We still got all these hackers that have been going on for two-and-a-half years which the anti-cheat has done absolutely nothing about. The anti-cheat has broken Roblox in OBS. It has broken Roblox shaders. It has broken that one tool youtubers used. It broke Linux support. I’m going to be honest, I feel like the anti-cheat hasn’t really done much to help me, it just keeps breaking my stuff and I keep seeing hackers so…

Hello, I appreciate your response. I am currently on mobile typing my reply, so I apologize for any formatting issues. I believe that you have RoShade and ReShade mixed up. RoShade was a ReShade installer, and Nvidia Ansel is built upon ReShade because the owner and developer of ReShade is an employee at Nvidia. Also, I don’t believe that shaders can be used to cheat in an impactful way. I believe you’re most likely referring to the use of depth buffers, which usually breaks UI elements and sometimes dark environments, and I could see why that is a potential issue, but I believe the benefits far outweigh the negatives when it comes to content creation and the community overall. Alongside that, I wasn’t trying to run ReShade directly on Roblox; I was writing a capture utility that was a Vulkan layer that would copy the game’s rendered frame and the depth texture to an external overlay. It was in development and functional up until the recent code signing requirements. If it is an issue, you could restrict the use of those modules on certain experiences, allowing developers to opt-out, preventing the use of any third-party modules on the client in those experiences, like, for example, OBS game capture, which is very similar to what I was developing except for the depth texture. I can’t go into many details right now but I wanted to respond in the meantime. Thank you, and I appreciate your response.

To add on to this remark, the usage of the Vulkan overlay was to make sure that any shader software stayed within a boundary that prevented it from directly tampering with the client to not bring on any sort of security risk.

Yes, and this was the intended goal; that’s why I say it is similar to OBS game capture, but instead of just copying the frame, I would also copy the depth texture.

I can see why the community is unhappy. There should be a balance between client security and user experience. As of recently, Roblox has been trading off user experience for client security. Roblox’s security measures are intended to provide a better experience for all users on the platform who intend to play without harming the experience of others, but in the same light, the client shouldn’t be overly restrictive, harming the experience of users who are trying to play legitimately.

The recent changes targeted towards exploiters are to the detriment of the community, breaking compatibility for applications like Nvidia Replay and Nvidia Ansel and possibly software on AMD and Intel’s platforms.

Just because something can be used to cheat doesn’t mean it should be banned outright. For example, you can use WGC (Windows Graphics Capture) to capture the window and feed it into an AI to create an aimbot. Does that mean external screen recording should be banned outright as a result?

We can also apply the same logic to Sober on Linux. Sober utilizes an x86-64 build of Roblox’s Android application underneath Linux. You could consider that a possible attack vector and outright block it because the client is inherently less secure than running on Windows. Doesn’t that mean that Sober should also be banned and that Linux players should be outright blocked from playing Roblox?

You could also adjust how saturated and vibrant your monitor is and also adjust the brightness. This can be done on the display itself or within the Nvidia control panel. Couldn’t that be considered a potential cheat vector because when it comes to shaders, the primary target demographic are people who are usually interested in visual photography or visual arts or content creators on social media platforms like TikTok and YouTube Shorts?

The community isn’t happy because there isn’t a proper balance. Roblox is a diverse platform with many different experiences that players can enjoy, anything from high-detail and impressive showcases to low-poly simulator games, and many users, content creators, and anyone interested in photography or digital art may be interested in using shaders on Roblox because it is a diverse platform and an impressive game engine.

Yes, you are right; it technically can be used to cheat by adjusting the brightness and saturation or displaying the depth buffer, but at what cost? Sure, someone might have an easier time seeing in the dark in a horror game, but that is an extremely small percentage of users, and most people in the community are unhappy regarding these changes.

Bloxshade has the largest community on Discord for shaders, larger than any Minecraft community, at 94,000 members, but there are exploiting communities on Discord with far more members. I don’t believe shaders should be the target of exploit prevention or depth buffer when it has been more of a net positive to the overall community rather than these recent changes.

Using shaders on Roblox isn’t going to enable the ability to use fly hacks, wallhacks or anything like that just because something can technically be used to your advantage in very niche scenarios such as horror games doesn’t mean it should be treated as an outright exploit.

I’m sure developers are far more concerned that the exploiting community is growing month over month where it is possible to use fly hacks, wallhacks and so on. I believe that the recent security changes while intended to be a net positive for the community have been anything but that.

The community doesn’t want a less secure client, they just want a proper balance between security and usability now users cannot use OBS game capture, they cannot use shaders, they cannot use Nvidia Replay and possibly they cannot use stuff related to AMD and Intel’s platforms.

Many of Roblox’s star creators have voiced their own opinions and very likely can share similar opinions to me regarding this topic. For example, SharkBlox made a video today because he can no longer use Nvidia Replay on Roblox because of the recent changes, and KreekCraft has also voiced his opinion regarding this matter, and he’s a star creator who used shaders.

Most users on the platform likely see the recent changes as more detrimental than beneficial. There are more pressing issues than shaders on Roblox, considering the demographic and user base. Just because something can be used for cheating doesn’t necessarily mean it is, and it doesn’t necessarily mean the negatives outweigh the positives, causing more harm than good, which isn’t the case in this scenario.

Kreekcraft’s statement: https://youtu.be/cl2__gC-EDc?t=9718

I feel like the anti-cheat has broken more things to me than it has helped me. We still got all these hackers that have been going on for two-and-a-half years which the anti-cheat has done absolutely nothing about. The anti-cheat has broken Roblox in OBS. It has broken Roblox shaders. It has broken that one tool youtubers used. It broke Linux support. I’m going to be honest, I feel like the anti-cheat hasn’t really done much to help me, it just keeps breaking my stuff and I keep seeing hackers so…

SharkBlox’s statement (from what he read from the forum): https://youtu.be/nz6LkaMsCcs?t=262

Security should nearly never be prioritized over user experience. Exploits continue finding bypasses due to their profitability, but software like this will never have the sole purpose of profit. This in turn lowers the user experience of hundreds of thousands on this platform.

Beautifully said.

image1344×1344 87.5 KB

I was following @Extravi1 and watched as every method to get custom shaders working on the client getting patched/broken. These changes seem to perfectly prevent shaders from working while seemingly doing nothing to prevent exploiters. This amazing project has done nothing negative against Roblox and is being patched/broken over a technicality? This just seems like software engineering pretentiousness and patching things that dont need to be patched/changed just for the sake of “patching it” instead of focusing on the actual important things.

Basically this. The actual cheating issue on Roblox has little to do with shaders or screen-reading. It’s an issue of people injecting massive 5000+ line scripts and getting away with it for months before being banned for only one day. The severity of cheats in Roblox is much greater than simple ESPs. These minor things don’t even come to mind when I think of Roblox cheats because they’re so harmless in comparison to the actual issue.

The security team has stated numerous times that almost all executors are detected. Please act on these detections and clean up the platform before breaking more compatibility. Roblox policy regarding this issue is severly lagging behind. Until policy improves, these changes will continue to be a net negative for players.

There is also the idea of a opt-in competitive client. Roblox is a massive platform wth a ton of genres. Not everyone cares about cheating, many just want to enjoy taking cool pictures with shaders. On the other hand, many don’t care about shaders and just want to play their extraction shooter without skids noclipping/aimbotting every lobby. Perhaps this should be re-evaluated as a potential option:

Roblox is a vast and diverse platform, and I believe that experiences on it should have the option to opt out of certain features. If an experience wants to implement stricter security measures, it should be able to disable support for third-party modules such as OBS Game Capture, Nvidia Replay, Nvidia Ansel, and others. Given Roblox’s unique nature, security should not be a one-size-fits-all solution.

When I mention third-party modules, I am referring to those signed by reputable vendors, such as Microsoft Azure’s Trusted Signing. Developers should have the option to choose whether to allow these modules or to opt out entirely, thus preventing any use of unauthorized third-party components.

I’m unsure about the feasibility of implementing this feature or how complicated it might be. However, if it is possible, it should be considered.

This would make things relatively complicated because, for example, you cannot just unload Vulkan layers since they are loaded at runtime by the Vulkan loader. However, if the user is trying to join a restricted experience, they could be prompted to restart the client with more restrictions applied. However, that may not be feasible and could be annoying.

However, if users wanted to deal with that by default, it could potentially be enabled by a fast flag, so if that fast flag isn’t enabled, the strictest settings would be applied by default, and only users who intend to use stuff like Nvidia Replay, OBS Game Capture for Vulkan, and so on will have to deal with that.

If the user were to enable a fast flag like that, that user would have to accept that trade-off, but this way developers can choose whether or not they want to opt out of these changes. This way it wouldn’t be inconvenient for users who don’t want to use third-party modules provided by Nvidia, OBS, and so on. The fast flag, if enabled, will default to allowing modules signed by trusted vendors, and if the user wants to join a more restricted experience, they will have to restart their client, but this shouldn’t be enabled by default for users; that’s why I suggest a fast flag.

Also, because developers may not be explicitly aware of that option, it should be toggled off by default, allowing signed modules; however, if the developer does need more security, they should be able to toggle it on and would likely be aware of the option.

Well thanks for the response at least, it’s good to know where things are at on this topic, but this definitely leaves me big sad. Guess I gotta accept the fact shaders aren’t gonna be coming back, just wish I had recorded more footage with them like in the recent updates for games like Midnight Racing: Tokyo or Crimewave 1986.

Still don’t feel motivated to continue covering games on my channel as much as before knowing how good things could’ve looked and probably won’t for good. Being able to admire games in a new light was a big factor that got me engaged in doing the playthroughs that I do, but I guess I didn’t realize what I had until it was gone, I just thought it was a temporary thing for the hunt event.

Hi, if this is the case, why is Hyperion either not on android, or just absolute rubbish? Every exploiter I see uses mobile. Why not increase the security on android? Or since people exploit on android, lets just remove android, since so much people do that anyways. I mean, you pretty much killed wine because a small amount of linux users exploited, either that or linux users seem the type of people to exploit.

New Enum’s suggest they’re gonna add it in eventually

Like OP said, exploiters find new ways to bypass all the time, and this change has already probably been bypassed anyway, and reverting it will bring back NVIDIA Shadowplay, NVIDIA Ansel, and Vulkan.
It may not be possible but just a thought of mine.

You say this without reading the entire thread.

I do wanna add that we should still give Bitdancer the benefit of the doubt. They’re literally hired to improve security so whether or not there’s some quota they need to meet, it’s probably not entirely up to them to revert this change.

The reality is that this isn’t old Roblox anymore when there wasn’t as much to maintain and the Roblox team was still pretty small. In turn with how complex Roblox has become nowadays, they’re definitely caught up with bigger things behind the scenes.

It just sucks that both sides of the coin can’t come to a better resolution due to all these nuances because it’s no secret that Roblox prefers to either stay quiet or neutral on these topics and some players are always gonna take a mile when given an inch.

So as much as no one wants to admit it, we’re never getting that same small community understanding that existed way back when, hence why it’s inevitable the player experience will suffer. It’s just by nature things go down this route at some point.

Well atleast they’re doing something

Well yeah it sucks, because regardless of this change, it doesn’t change the amount of exploiters.

I’m actually working on a thread with Roblox_RTC about this, as it seems Roblox has no regard for the safety of users on their platform.
I was working on one before actually except I was worried about getting you in trouble by continuing to quote you, as I know it’s not your fault, but thanks to the anti-cheat stunt Roblox pulled with The Hunt: Mega Edition, I no longer need to.

Also, it’s a little frustrating to see community projects, made with passion and love, being completely killed off by anti-cheat updates (which we as developers don’t see the benefit of, and likely won’t at this rate), and are then told that it “was against ToS anyway”

Bloxstrap could potentially be seen as against ToS, yet that’s allowed, even despite Wave using it to some degree to bypass whatever it bypasses

Austin’s FPS locker was also technically against ToS, yet that was allowed until Roblox released an official update including something similar.

When do developers start to see an improvement?
We constantly lose features & functionality, exploiters run rampant regardless, methods to detect exploiters that we rely on are stripped away under complete BS pretexts (e.g. os.clock alt detection & null byte indexing)

What does $11m (plus whatever they paid for synapse) have to show for itself? because all I see is degradation, not improvement.

TL;DR:
Signature validation performs as designed. We are looking into issues on a case-by-case basis. We are not blind to the issues the community is facing, but we have to find a solution that alleviates security concerns as well as user inconvenience.

Wall of text:
As mentioned, almost all community projects violate the TOS to a certain degree. However, so far Roblox has chosen to avoid antagonizing the community by targeting these projects purposefully. The only exception was Wine, as it simply was not maintainable without severely compromising security on Windows (I have written about it extensively here on the forum).
Bloxstrap is less of an issue because it neither injects into the process nor does it perform any kind of repackaging. We haven’t blocked Sober because we don’t see a reason for it. However, I did make it clear to the Sober community that we might render it non-functional as a side effect of increased security as Sober is not officially supported by Roblox.
The same is true for all forms of custom shaders; we don’t explicitly block them (although we have seen shaders being used for cheating), but we can’t just allow random modules to be injected into our process space either, especially since our lenient handling of signed modules was the main attack vector of pretty much all recent Windows exploits.

Last but not least, there is a mix-up of non-Windows and Windows issues here in this thread. While it is true that we have seen a rise in Windows exploits and therefore we had to act on it, the majority of exploiters observed in the wild actually cheat from lesser protected platforms, so arguments such as “the new signature validation didn’t help, I still see an increase in cheating” are flawed if not taking the cheaters’ client platform into account.

This pretty much sums up everything that we have to say on this topic at this point in time. Thank you for reading.

When you refer to looking at issues on a case-by-case basis, does that also extend to software related to shaders like Nvidia Ansel and others, someone earlier had asked if there were plans to allow things like OBS game capture, and you said options are being currently evaluated?

Nvidia Ansel is not on the table at this time. Other issues mentioned in this thread are subject to evaluation.

You admitted yourself that anti-cheat without policy backing it does little to reduce this issue. These changes continue to be a negative because we see no improvements from them. This is because despite the improvements to the application’s security, those who circumvent them are allowed to run free without punishment. This is why you are seeing rises in Windows exploits despite the numerous patches put in place to try and deter them. You can’t prevent them, especially on a usermode anti-cheat, but you can detect them. So what does your company do with those detections? Shove them in their pocket, your own words.

Please try and work out a solution to this issue. I guarantee that if you had a strong policy in place you wouldn’t even need so many patches because so many would quit cheating out of fear of being banned in the first place.