Which Roblox/LUAU classes can have malware/scripts hidden inside? Which classes will still be executed as a script? Which classes cannot contain a malicious script? Audio?
Since the complaint has been made that it's not clear what I'm asking, I've added emphasis above and put the title in there, too.
Ok, so I'm trying to learn how to detect and remove malware from things in the Roblox Studio Toolbox. That is a tall order, since I'm still learning LUAU and there are many ways to conceal malware, including obfuscation techniques (spacing, reversed strings, reversed ascii strings, getfenv(), hidden teleports, nested scripts, scripts that were reclassified to something else, like a weld, etc.).
Reclassified malware is the thing I have the most trouble with, although long scripts and scripts split into different files can be a pain, too. I do things by trial and error, like in the case of the Sakura Tree model by TreelingDeveloper (rbxassetid://6787294322). I stripped it of everything except the Trunk and Mesh, Falling Leaves and Particle Emitter, and Leaves and Mesh, and it is still similar, despite removing a couple dozen pieces, including two scripts that were nested inside several welds and claimed to weld the bark on.
Edit: I rechecked the Sakura tree after posting. Deleting all those parts reduced its visual appeal, although not completely. There were a lot of "Bark," "Other" and "Welds" that I deleted, and even the ThumbnailCamera. As it turns out, keeping all of the "Bark" and "Others" adds additional details to the trunk. I can't see a use for the ThumbnailCamera or the welds and "auto-weld" scripts.
It's not terribly hard to use CTRL-SHIFT-F to search for words like "getfenv," "string.reverse," "require," "eriuqer," and "teleport" but it is beyond my level of ability to find everything.
If you have any suggestions or tips on the question or the larger issues of malware in Roblox assets, I'd love to hear about it. Thanks!
Thus far, I have reviewed several (~10) plug-ins for detecting malware. None of them have seem to have behavioral or real-time detection. They all seem to use simplistic heuristic detection, often relying on common words and phrases associated with known malware, as well as certain LUAU commands and obfuscation techniques. Those that I thought were worth using, as inadequate as they were, are GameGuard, Guardian Angel Defender, Mirror Egg and Ro-Protect. Unfortunately, they get a fair number of false positives (Mirror Egg, for example, suggests that anything with the name "Fire," including fire effects I added, may be malware). GAD has the best UI and seems to find more than anything else, but it also finds a lot of "empty objects" that I'm not sure what to make of. None of them are real-time, and none are good enough on their own.
I'm not artistic, so it really isn't possible for me to develop my own models, meshes and such, and I think people who say those who use the toolbox are lazy and get what they deserve are apparently unaware that not everyone is a master craftsman when it comes to CG.
Roblox Studio's Toolbox is jam-packed with assets, which is great, except many of them contain malware.
Beyond this point is mostly a rant. Feel free to ignore, unless you're going to tell me to contact Roblox Customer Service or go to the Roblox DevForum.
You may ask why I don't post this on the DevForum. I've been there since April and, despite 7 hours of reading and over 1k likes, I still have not become a "regular". I asked customer service about this, but they gave me the run-around, referring me back to the rules to become a regular (which are deliberately vague) and generally being eager to get rid of me as fast as possible without actually helping.
You may ask why I didn't ask Roblox for help. Having asked both the Appeals team (which had given me a 3-day IP ban and permanently suspended my unlisted, >private< game that is still in development because, they stated, I'd added an "inappropriate model" from the toolbox - a model that I didn't modify, and then rejected my appeal without any valid reason) and Customer Service, which gave me the run-around and did their very best not to help me, and to get rid of me as rapidly as possible, I'm trying to learn how to protect myself. In short, Roblox apparently refuses to take any real steps to deal with the plethora of malware, and help pages DO NOTHING to teach developers how to find malware. I've learned more on my own - which isn't nearly enough.
If I sound irritated, it's because I am. They have some of the worst customer support I've ever encountered in the 36 years of my adult life, and I've got many years of experience in that field, including tech support.
The Roblox tutorial pages have this to say when it introduces the toolbox:
> Anyone can upload an item to the Toolbox, so make sure your game still works after adding an item before settling on it. To learn how to inspect a model before inserting it, see [Item Inspection][1].
The linked page is woefully inadequate, and the page that Customer Support referred me to is, too. [What Is This Infected Model On My Place? help article.][2]
[1]: https://developer.roblox.com/en-us/resources/studio/Toolbox#item-inspection [2]: https://en.help.roblox.com/hc/articles/203312920
When it comes to things that can execute code, the answer is Scripts and LocalScripts.
Some things to know, Scripts are only active in a few locations. According to the docs :
The instant that the following conditions are met, a Script’s Lua code is run in a new thread:
- Disabled property is false
- The Script object is a descendant of the Workspace or ServerScriptService
Similarly for LocalScripts :
A LocalScript will only run Lua code if it is a descendant of one of the following objects:
- A Player’s Backpack, such as a child of a Tool
- A Player’s character model
- A Player’s PlayerGui
- A Player’s PlayerScripts.
- The ReplicatedFirst service
This doesn't apply for Edit Mode, just when you are testing it in Play Mode.
The thing is, a Script instance can be inserted into the hierarchy of anything. Audio, Meshes, Decals, etc. none of these things execute code on their own, but they are often Trojan Horses for delivering Scripts into the Workspace. And because the Toolbox inserts things into the Workspace by default, it creates the avenue for exploits that you're describing in your question.
This is why I recommended the Venom plugin by pa00, because it allows you to strip out any and all Scripts that might come with an asset. It is an easy counter measure for when you are only looking for simple things. This suggestion falls apart once you start looking for more complicated assets like vehicles, Tools, and guns, where interactions have to be scripted, but it's a starting point.