Roblox Should Start Banning Cheaters They're Already Detecting

Is Roblox not a closed-system? The client can’t require(assetid), all scripts running on the client should come from the server. Therefore shouldn’t it be possible to tell which code doesn’t belong? You could do pattern detection at large scale to determine which scripts do not belong, and then give developers the opportunity to act on it. If 99.999% of daily users are operating within pattern but you have 0.001% throwing errors all over from scripts like ‘coregui executor’ that don’t have a proper traceback, then it’s pretty safe to conclude those are exploiters

Hyperion does detect tampering with the process. Sadly, it is hard to distinguish if the offending software is just a poorly written tool, some antivirus, or some video recording software. This is the reason we coined the term “Badware.” For us, Badware is any software that opens the client process unauthorized. This doesn’t necessarily mean the software in question is malicious, so banning based on “Badware” detection is out of the question.

For a user to be caught in a banwave, it takes quite a bit more than just running an exploit once. Given the scale of Roblox, it should be clear that being less careful with banning might quickly end in disaster, so naturally, we are extremely careful and generally prefer to crash the client rather than ban someone.

Furthermore, cheating using Windows clients, thanks to Hyperion, is actually rather uncommon these days. Once again, scale matters. Culling down cheaters to a few thousand on Windows is a huge success in our books.

Currently, Android is the go-to platform for cheating, so a lot of observed cheating is most likely committed by Android users or folks using emulators. Needless to say, we are focusing our efforts right now on Android and Android emulators.

how do exploit developers even slip up like this lol? even if roblox does take action for this, it will be short-lived and likely would’ve been redundant in the future, regardless if it was implemented or not.

It’s not even really a new ‘slip up’, executors have been leaking errors like this forever. It’s just that they see no real need to patch it because Roblox simply chooses to not take action.

Please read carefully what I wrote. From a Roblox user’s view, the issues seem easy to solve. However, for an organization like Roblox, with a large user base, nothing is as straightforward as it seems at first glance. The number of banned users who clearly exploited, and we have the receipts, yet chose to appeal is rather large and somebody needs to deal with it (one example of many). Scale is always the issue and is what distinguishes a hobby project from a large company.

I have read what you wrote, except it’s not relevant in the context of the OP nor the post I replied to.
“Sadly, it is hard to distinguish if the offending software is just a poorly written tool, some antivirus, or some video recording software”
Can you name a single piece of badware that throws “Coregui.execution” errors to the developer dashboard? Must be some really messy badware if it’s managing to slither itself into the Roblox lua engine. The point of the OP was that these low-quality exploit scripts should be handled better because they’re blatant and interfere with developer debugging. This isn’t a case of badware tampering with Roblox and causing false-positives, it’s a case of obvious injection not being properly handled.
This issue has been reported before as well, with some people not even aware these are exploit errors:

I understand the concern for false positives in ban waves when detecting tampering. I’m aware that Roblox is hesitant to terminate cheaters. But there’s a difference between someone booting up an outdated version of OBS and what OP is describing. If these janky cheats are somehow logging their way into the developer dashboard, then it’s absolutely at the point of needing to be handled better by Roblox.

Like the guy said, it is hard to distinguish between cheats and other programs that trigger the anti cheat. As far as I know, Roblox crashes you if the anti cheat flags a program. I think even things like RivaTuner can cause roblox crashes with the anti cheat.

I was pinged to answer a question that is Hyperion-related, so I answered as well as I could without giving away internal information. The issue of scale applies to the OP’s post too. I also replied to your comment, “Roblox simply chooses not to take action,” which is incorrect.

Is there any way for you to program it so that if some of these obvious errors are tied to a specific username, it automatically bans them from your game?

Otherwise, I’m not even sure why Roblox doesn’t ban them, either they know they’re exploiting and they don’t take any action or their anti-cheat is still underdeveloped

You could intercept errors using the ScriptContext in DataModel, and calling some remote to ban when the error makes no sense, i.e: Can’t access parent of script/script is nil, and you can try to do some work to make it so it must be able to work or something.

I know it sounds easy, we got the user ID of a user, therefore we can simply ban them for their malicious behavior. However, one needs to understand that everything, and I mean everything, that is sent from the client might be compromised. This is the reason we need multiple factors to have higher confidence before we act. Could the evidence shown by the OP be one of these factors I speak of? Sure. Could it be the only factor needed? No way.

Roblox when dealing with exploiters: Well, they could be compromised who knows! Lets investigate for a month before deciding whether they should be banned for 1 day!
Roblox when dealing with developers: That picture of a shovel you uploaded? Our poorly-coded bot has detected harmful content, moving in for a swift ban!

Where was that ‘everything from the client might be compromised!’ approach last month when malicious scripters were able to terminate developers instantly simply by adding a fake GUI to the game and reporting it? Sorry, but this system is just crap as it stands now. The system seems completely backwards. You have numerous automated bots which fail constantly and throw warnings and bans at developers, yet practically nothing exists for cases like the OP where it’s so blatant it’s laughable. I know the stuff with Trust & Safety and how your team wants to terminate these accounts but isn’t allowed, so there’s no need to wear a mask regarding the issue. I can only suggest you appeal to the higher ups and attempt to get this system changed because it’s a joke. Even if it’s not a termination immediately by Roblox, the OP suggests giving developers tools to mitigate it. There is no reason our dashboards should be flooded with this kind of nonsense.

No other game in the world gives a 1-day ban for injecting. EAC, VAC, Vanguard, etc all move to immediate terminations. We know this is what you want too, so please keep up the fight internally as you’re the only representative we have.

Because despite them all having their own, often glaring, issues they’re all either based on objective known information (VAC doing detections based off confirmed known cheats and their injection methods/code) or have far more ability to detect things than Hyperion (Vanguard is literally a rootkit, in very plain and basic English meaning it runs when you press the power button and sees all as if it’s built into Windows itself)

Hyperion won’t let you start your game if a program window has a title starting with x64dbg because it’s a known debugging tool which can very easily be used to inject code (and in turn exploit the game) - It doesn’t care if the program actually is x64dbg or not, it doesn’t care if you aren’t using it in Roblox, it’s just guessing/assuming that you may potentially have something malicious and pre-emptively not letting you in because of it.

Hyperion is very basic and oversensitive because it’s far easier to just assume most stuff is bad than do what VAC does (look at how TF2 and CS2 are going with VAC in use) and it’s a really bad look to use something comparable to literal malware (Vanguard having as much access as it does, regardless of the fact it’s talking to China/Tencent, is genuinely a terrifying idea. Any virus worth its salt these days will do it’s best to be a rootkit, or as close to one as possible)

Because of the basic checks and oversensitivity, Roblox can’t afford to ban anyone it picks up, because of how easy it is to trip by accident.

The cheats Vanguard and VAC have to deal with are on a completely different level. Trying to detect tiny aimbots reading memory and spoofing mouse movements is a completely different task than detecting script executors which let people inject all types of nonsensical code into the engine. Roblox cheats are very blatant comparatively which is why every single relevant one has been picked up in a ban wave so far. As mentioned above, developers can detect this stuff with error logging and scriptcontext but it still makes its way up the pipe into the error dashboard. And the argument we’re making is that there should be better handling of this stuff on Roblox’s end, because it’s beyond the point of stealth-detection measures. Stuff like this should be handled in tiers, where blatant things like what OP describes are dealt with immediately while other cases, like what Bitdancer descibes as badware, should have more careful consideration.

Additionally, for what it’s worth, the opinions shared publicly by members of Roblox’s security team disagree with your conclusion that Vanguard is a chinese rootkit.

System software engineer here. Are there plans to or actual negotiations with Google about the Google Store policies that prevent Hyperion from being applied to the Android client? Considering the scale of the platform and the millions of users, I would imagine Roblox Corp would have a little bit of clout in negotiating an exemption to Google Store policy. However, even though Android is published by Google, Google isn’t the only Android based platform with a store out there. I have the Roblox client on my Amazon Kindle as well (as you may or may not be aware of).

In both cases, you are not required to load apps from the store. Just download/transfer an APK file over to the device and install it. You do have to do a few things though before it will let you, but it’s doable. I’ve done it myself with Android apps that I’ve written. The biggest difference between Windows and Android is that Windows has security as an afterthought. I’ve been around for quite awhile and remember all the very spectacular security breaches back when Windows XP was king. Android, being based on the Linux kernel, and therefore under the Unix umbrella, is inherently more secure than Windows.

The reason why Roblox is not seeing much on Apple iOS devices is due to Apple security, which is actually quite good. The iOS and Max OSX kernels are based on the Mach kernel from NeXTSTEP operating system. The Mach kernel is based on the BSD kernel which I am very familiar with (I run FreeBSD servers at home with custom software that I wrote). NeXTSTEP was developed by NeXT Computer which was founded by Steve Jobs after he was forced out of Apple Computer in the late 1980s early 1990s. When Steve Jobs came back to Apple in the mid to late 1990s, he brought all that with him and folded NeXT computer into Apple. Back on topic, Apple security is tighter than a drum because you can only install apps from the Apple App Store. Therefore, you have to jailbreak the device which is not easy. Apple patches security holes regarding this faster than [insert metaphor activity here]. Apple security isn’t based on just software, it’s also hardware where there are device specific SSL certificates stored in places in the device that only the CPU can access under very specific conditions. Furthermore, all software has to be digitally signed. Android does not have these requirements, so that’s why this is becoming an issue on Android.

The part of apple storing certs is in every modern phone or computer, they will always have a hardware keystore. Apple’s security comes at the cost of user freedom, and because of that they have to change it to continue working on the EU, and you don’t necessarily need to jailbreak to install modified apps outside the AppStore, you can use other methods that are jailbreak-less. The kernel something is based on is truly not that significant, and it’s not going to change the world at all. Exploiting is possible because in a device a user has theoretical control over, anything can be done. In Android you don’t need to have root to mod apps, just install it unofficially, but if you want to use root, you can use a Magisk Module or a Lsposed module to patch the game as you boot, for example. They’re all valid strategies. Apple patches Jailbreak because, essentially, it’s a Kernel-level unsigned code execution exploit, Android doesn’t have to, because you can unlock your Bootloader, which makes you fail integrity checks with Play protect and other validation systems, as your keystore says your Bootloader is unlocked. Most rooted users modify it by making the device pass the BASIC test, yet not the hardware backed test, which basically means it doesn’t use the devices keystore, Basic is probably going to be removed at some point, and that would probably less to rooting being even less popular than it already is, because aside from trying to hide root from apps, you have to hide it from Google play to use some apps. You shouldn’t recommend Roblox to go off-store, it limits visibility a ton and it’s a terrible approach to things, I’m not a software engineer anyway, so what say may I have…

While this post seems to becoming a pretty heated debate, I do think both sides have some valid points.

In my own games I don’t ban blatant cheaters, because the game performs better in the algorithm when everyone, even cheaters, are allowed to play. Instead I send cheaters to purgatory/cheat only servers.

I do want to ask why running an executor can’t be the only factor when determining a ban? Isn’t that the most blatant and obvious breach of ToS that affects Roblox, its developers, and its community all in one blatantly harmful action??? With the captchas removed and account creation at an all time high for accessibility, why isn’t being a little more aggressive towards cheating on the table?

Lastly if banning these users, or banning them in a timely manner is something Roblox is unwilling to do, would a better solution be just exposing some of the collected data to the developers? I don’t mind using evidence of injection as the only factor in determining whether a cheat occurs and taking immediate action.

Anti-cheat/anti-tamper software is very platform-specific. Hyperion, in its current form, cannot be simply ported to other platforms. We have been working for quite some time on an Android-specific solution, and public announcements regarding Android exploit prevention will be made soon.

The company has a zero false positives policy. Upon investigation, our team has to prove that none of the bans we administered are false positives.

Where is that policy for literally every other instance of ‘moderation’ this company does, including the chat filter, asset uploading, and every other form of report that is handled by a poorly coded bot? Why is it that the most blatant offenders get a free pass yet the people actually developing and playing fairly are constantly bonked over the head by automod? I could understand this policy for terminations, but you don’t even do that. All this red-tape just for a 1-day ban which Roblox is happy to hand out whenever you upload a picture the automod doesn’t like.
An entire detection system that just sits there unused because of fears of impacting the MAU.

Your team does good work, it’s unfortunate that the rest of the company doesn’t seem to care