Rovird - Advanced Virus Detection

Rovird-Banner
Website/API Github
Plugin (plugin source)
Rovird is an extremely powerful virus detector. Rovird uses an open source third party api to analyze source code. This analysis includes resolving all external requires. That’s right, Rovird is capable of resolving require(id) and analyzing a module directly off of the roblox library. This already makes Rovird more powerful than existing plugins.

Directions


There are multiple ways to utilize the Rovird’s API. I’ll go over the 3 that may actually happen.

Using the plugin


Using the plugin is obviously the easiest way to scan scripts in your game. With just a few clicks you can scan your entire game for possible viruses, resolve all external requires, regardless of layer.

First, you will need to download the plugin from here. Once you have it on your studio, you’ll see a new category in your plugin toolbar which will look like this:
m6g7hl_111541

When you first install the plugin, it may ask for script injection. Though Rovird does not modify scripts in any way, plugins need script injection in order to read source code. If Roblox releases a separate read/write permission for plugins to read source that’d be even better for protection, but for now script injection will be required.

When you click on this button, you’ll be greeted with a UI. There’s currently 5 buttons:

  • Send Job
  • Results
  • Toggle DNC
  • List DNC
  • Options

Scanning your game

In order to actually scan your game, you will need to click on Send Job. The first time you do, it might ask you to allow HttpService to send requests to https://rovird.xyz. If it does not say that url (and you haven’t changed it in options), uninstall the plugin as it’s a clone.

Once you allow HttpService from the plugin, and you click Send Job, results will turn gray. While the button is gray, you cannot click it. Eventually it will either turn green or red. If it turns green, you can click on it to see results. If it turns red, you’ll see an error message in your console. Report this to me so I can fix it, if I can!

9qwmf8_111561

Once results turns green, you may click it.

Looking through results

When going through results you will see a list item for every script in your game and all external scripts and any scripts they require. This may be overwhelming. Because of this, you can see quick stats on the right:


These quick stats include the total amount of scripts scanned, and breaks it into internal and external scripts. Internal scripts are the scripts actually in your game. External scripts are any scripts that your scripts require by id (require(id)). And below that is the total flags count of all the scripts.

You may want to filter the results to see only flags, you can do that by clicking on the flag icon above the quick stats. If your game’s scripts have any flags they’ll show in the UI once you click that icon:

From here, you can left click on any of these buttons to see all of the flags in the script. You can right click to open the script. If the script is external, it will print a link to the library in the console that you can go to. When you left click it for flags, you’ll get another page that looks similar and shows all of the flags:


If you left click on any of these, you will open the script and scroll to the line the flag is on. If the script is external, it will print the link to the console along with the line is the flag is on. You can analyze these external scripts using a tool like BTRoblox.

Adding scripts to the whitelist

Because Virus Detectors are imperfect, Rovird provides you with a whitelist. To add anything to it, select it in the workspace and click on the “Toggle DNC” button. This will add the scripts to the whitelist. The do not check list is recursive. So no descendants of an item on do not check are scanned.

You can check your do not check list by clicking on “List DNC.”

Removing scripts from the whitelist

If you accidentally added a script, or a virus tried to add it to the list, you can right click on the item in the “List DNC.” If you left click, then it will select the instance in workspace.

Changing the request URL

If you click options, you’ll be able to change the request URL. You may want to do this if you self host it. A trailing slash is not required, it will add one for you if you don’t include it. Make sure you press enter after putting the new URL in, or it won’t save your changes. Also, if you don’t have a domain, you include the port here, i.e. http://localhost:6750/

Using the website

If you don’t want to utilize the plugin, you can use the website over at https://rovird.xyz/. This site is the host of the api the plugin uses, so the results will be the same. You have 2 options when using the site, a file upload of rbxm or rbxmx, or you can give it an asset id to check. The asset must be free and on sale. If the id meets those criteria, it can be anything, a model, a script, plugin, etc.

There’s a video on how to use it here:

Hosting it yourself

Because this is an open source project, anyone can contribute to it, and anyone can clone the repository and host it themselves. All I ask is that you abide by the license which is MIT. Basically, you can do whatever you want with no warranty or liability, as long as you keep a copy of the original license in there.

You can either clone the repo directly, or download it as a zip. You will need v16 of node to run this program. Once you have it downloaded, run npm install to install the dependencies. Then you can start it with npm start. It will host on port 6750 by default, but you can change that in settings.

If you don’t have an SSL certificate, leave developer mode on.

Once it’s running you can access it in your browser if you go to http://localhost:6750. Where 6750 is the port you choose to host it on.

You can then go into the options on the plugin menu and set the URL to the same URL you’d use to access it. You’ll see any request get logged to the console.

Against other virus detectors

vs Server Defender
Server Defender is an antivirus plugin. Let’s see how it stacks up:
ra22bo_110771
Here are Server Defender’s results. This is not a virus script, but it is understandable why it’s detected. But there is an intentional virus in this place that it did not detect (I have reported the virus multiple times to roblox over the last few months, but it’s still up so I decided to test on it).

vs GameGuard
GameGuard is another virus detector. Let’s look at its results:

xslg5_110791

As you can see with basic “require” detection nearly every script is a false positive. It’s understandable, but the bloat is very apparent. When I turned require checks off I only get 3. 2 of which are predictable as they use getfenv , however the first one is detected because of “Lil” (common obfuscation is iliilil , etc) it’s triggered because of the string “Lily white” which is obviously a false positive. However, still no detection of the required virus without just scanning for require by itself.

Now let’s see Rovird’s results:

The script at the top is a false positive (it’s obfuscated). However as you can see 5 other scripts are detected, 3 of them are external. This comes from a single require(id) . That script requires a virus which in turn requires another virus ( External 2 , the number is the layer of require, 1 is require(id) from a script in your game, 2 is require(id) from the previous required script, etc), all of which Rovird is capable of analyzing. The script at the very bottom is a detection of a script attempting to set an item to the do not check list.

Rovird had a single false positive in this example and detected the required virus. Neither gameguard nor server defender did this, if it did they were flagged because it required something, not because the script it required was actually malicious.

As you can see, Rovird can detect what other virus detectors can’t. Due to being outsourced to an api which is more capable than roblox itself there are so many possibilities with analysis in the future including potential AI analysis and scoring!

Technical details

Rovird uses HttpService to send the source code of scripts in your game to an api for analysis. You may view the API’s source code here and even run it for yourself and make PR’s to add new flags, etc. The code-base is still a little messy and I am working on cleaning it up, but I wanted to get it out to everyone.

Rovird keeps up to 1000 instances in memory at a time (for 10 minutes), however they are not permanently written to the disk (only external required scripts are written to the disk at all, but they are removed after being read and parsed, unless an error occurs due to downloading too many at once). In addition to this, Rovird will cache jobs for 10 minutes or until their results are requested. This means that once you get results once they are deleted from memory. The plugin itself uses an internal cache, but if you wish to make an app to interact with the api directly keep that in mind.

Rovird’s jobs api has a rate limit of 60 requests/minute ( jobs-status has a 120 requests/minute limit). This is not a gradual refresh, which means once you use all 60 you’ll have to wait for the reset. I’m mentioning this because rate limits means your ip is stored in memory. If you don’t make any requests to the api for 60 seconds it will be purged automatically. I may look into api keys from the website in the future for possible higher limit ones, though I’m not sure yet. Rovird’s api does not maintain or track any data persistently, it works entirely in memory.

Rovird requires modification permission to read the source of scripts. However, it does not ever set the source of the script itself. Rovird is a tool to find potential viruses, however it does not take any action for you.

Rovird will ask you to allow access to rovird.xyz. That is the correct website that the api is hosted on.

The Rovird api is run on a 48 gb ram, 24 core dedicated server. It is relatively fast at analysis, with the main cap being downloading external requires (which still doesn’t take long because it’s set up with a gigabit connection).

I’ve only the tested the api by myself which means that it was never under heavy demand. Results may vary based on how many requests it’s getting. Be respectful, don’t spam the api please!

Limitations

  • Single hierarchies of >1 MB are currently not supported (roblox limitation). They will be supported in the future by sending the data in chunks. Switched to RequestAsync and the limit is now 20mb (server side limit, might adjust in the future)
  • This is a tool that does script analysis. It is not guaranteed to work. It will have false positives, and false negatives . Be vigilant when using free models and have trusted people work for you.
  • Doesn’t scan plugins yet (you can use the website for this, though)

Plans

  • Open source the api once code-base is cleaned up . The code is now available here ! (if you’re looking for the dump of the plugin, you can find it here )
  • Better graphics
  • Better documentation This page has been rewritten in a way I feel better documents how to use the plugin and the website.
  • Code-based flags (right now flags are just given in english, if they are coded by a number it will be translatable easily)
  • Better UX
  • Upload models/asset ids to the website for analysis . This is complete, you can now upload models and asset ids directly to the website at https://rovird.xyz/.
  • API keys (higher limits, and more secure)
  • More analysis (and better analysis, if you see a false negative, let me know so I can get to fixing it! False positives are better than false negatives!)
  • Possibly AI analysis (I will need a lot of examples to train the AI on if I do this)
  • Scan plugins from plugin (possible on the website, just input the asset id)

Check back in every now and then for these!

If you find any issues let me know! if you spam the website it will rate limit you, if you keep spamming you will be blocked entirely (if the api crashes and the plugin tells you it can’t connect to the server then dm me, I will respond to those faster).

27 Likes

Pretty cooooooool, also will this beat gameguard?

1 Like

I included a gameguard comparison in the thread under
https://devforum.roblox.com/t/rovird-advanced-virus-detection/1537021#against-other-virus-detectors-7

1 Like

Cool! I’ll use it for my antivirus and will be sure to credit you

1 Like

Thanks! If you notice any false negatives feel free to let me know and I’ll see what I can do about them asap.

2 Likes

This is amazingly advanced. I believe it is more trustworthy in terms of virus detection especially since it confirms with Roblox and outside sources rather than simply scanning for require. Great work mate! Surely going to use it! This is going to save tons of time! :smiley:

1 Like

Thanks, I’m even working on AI scoring right now that will be passed over for users to make even better informed decisions. I’m just gathering a bunch of scripts and identifying them as virus or not virus and the AI will spit out values giving it a score on the virus and not virus scale.

This is what it looks like right now with very little training data (biased towards virus right now)


If virus > not virus then it’s likely a virus (rocket science there). When I get this done (next week maybe, I’m busy over the weekend), users will have a helping hand in script analysis.

Edit: On second thought, that may take a while. I’ve already got about 2000 non virus scripts fully scanned and ready to train the AI, but now I need to find a good amount of viruses as well. I want to have the AI be as unbiased as possible. If you have asset ids of viruses that roblox hasn’t removed even though you reported them over 6 months ago feel free to send them my way (in a personal message) so I can get them into the AI’s training dataset and make it better for everyone.

1 Like

I’ve published an update that should prevent the info in results from being incorrect after clicking results more than once.

EDIT: I’ve just published a second update that will prevent the plugin from erroring if you delete a script after sending the jobs and click results.

Alright, I decided to open source the api finally. I’ve cleaned up a little bit and you can view it here! Don’t mind all the comments, I’m working on a lot of stuff. The AI (which is really just a bayes classifier, I may look into full neural networks if they can prove to be better for the computing cost) is not complete and the training data is significantly biased right now, don’t expect it to work properly.

With this update you can now also change your base url in the options menu of the plugin if you want to host it locally. I’ve update the post with more info.

If you notice any problems be sure to tell me right away! Feel free to contribute more flags/detections to the repo too if you know of any or have any good ideas!

Also, I’m trying to fix a false positive where stuff like require(x:WaitForChild("y")) causes a flag.

2 Likes

I just published another update. Now you will not be able to click results until they’re actually available. While the button is gray, you won’t be able to click it. Once it turns green you can. If the button goes red that means an error has occurred while getting job status. Hopefully that should make this a little easier to use.

Alright, I found out that the size limit on PostAsync was only on PostAsync and does not apply to RequestAsync. Because of this reason, Rovird now supports single hierarchies of up to 20mb (that limitation is mine and I may adjust it in the future, but it’s already overkill).

I’ve published another update. If the connection is unsuccessful, Rovird’s results button will become red and you’ll get a message in the console.

Children of external models are now properly resolved.

I’ve begun work on the website where you’ll be able to upload rbxm’s/rbxmx’s or input an asset id and you can check everything right from the browser with no plugin needed! The website as been updated, but that’s all place holder and if you click the button it’ll alert you that it’s not done yet.

How. This is very great.

I never thought that you could use AI to detect malicious code on Roblox but apparently I was proven wrong :smiley:

It doesn’t use AI yet, I’m working on gathering training data for the AI so that it’s not biased. There’s way more non-viruses than virsuses in the training data so it’s heavily biased towards not virus. I will either need to cut down significantly on the number of regular scripts in the training data or find a significant amount of more viruses.

1 Like

When will the AI feature come out?

I’m not entirely sure. I want a good non-biased AI. I’m still debating whether to use a neural network or a bayes classifier.

1 Like

Update before I go to sleep:

First, I fixed some detection issues with hidden code. That should work fine now.

After a ton of fiddling, children should actually be properly resolved (again) regardless of external layer.

The web interface is kinda coming along, you can input asset ids into it now. It’s not pretty, I just want to say I suck at front-end development so this is a challenge. UX is not my thing. Anyways I’ll lay it out here:

If you go to https://rovird.xyz/ you will be greeted by this page:

To test this I will be using a known virus. When you enter the asset id and click submit, you’ll be redirected to a page like this:

You can click on any of the highlighted lines to see all the flags:

Click on the gray area inside of that block to close it.

And that’s really it. The UX is terrible, I’ll admit. But it works for now and I’m fine with that.

This works with assets that have a top level lua source container. This means it probably wont work with plugins or models yet. That is a planned feature though so stay tuned!

No changes to the plugin were made

The website will now support any asset id and search for scripts anywhere in the model’s hierarchy! This means you can now look through any model or plugin!

I don’t think I’ll ever use a virus detector, but if I do, I know which one to use.

I think you could make this even more “Advanced” by adding more customizability.

P.S. you must have JavaScript enabled for the website to work! (In case you set your browser to block it)

2 Likes

I should’ve mentioned that, yeah. All of the source code for the website is available here: https://github.com/steven4547466/Rovird-Website/ (specifically here). This includes the detection api. There’s links to this in the original post, but I should put it here as well. The javascript is so the front end can make requests to the back end api.

Also, the website tracks nothing other than rate limiting information. And it has no persistent storage of anything. Once you click submit the job is deleted off the machine so if you refresh while looking at the results, they will disappear.

1 Like