Disable all client-sided anti-cheats by default, even on older loaders

[moo1210]

Wasn't it discussed that all these detections on the client would either be off by default or removed earlier this year? I don't think any of these even actively flag genuine exploiters now that Byfron is deployed on Windows clients, it looks more like they just keep falsely flagging players after Roblox updates something.

Some of this was done (all of the toggleable client-sided anti-cheats in settings were set to false by default, however, there are still fairly useless client-sided ones that run under settings.Detection, which is still true by default), but in practice applies to virtually no games, since they all use outdated loaders, and most people don't actively merge their settings file. Realistically speaking, the client-side anti-cheats need a new setting to re-enable them, in order to disable them on games without the newest config file, which is kind of a flaw in how the settings file was created.

More recently, #1203, #1133, #1144 have been filed just fixing issues that they falsely flag users after Roblox updates things, which is to be expected since we're searching thru internal Roblox-type things, that aren't documented and can change at any time.

(CC: @Sceleratis @coasterteam)

[Sceleratis]

Agreed tbh

[wilsontulus]

Tbh it's not really caused by Byfron. Atleast for me, most of the skids (which actually counts over 80% of the exploiters in my games) are still detected even by Adonis alone, let alone my own anticheat that's more optimized for the type of the game (e.g. obbies, vehicles, etc). All metamethod hooks are still detected properly, and most non-chad exploits that prints their credits in the console, or some scripts erroring out while trying to call some unsupported function in non-chad executors, are still detected like normal.

For example, this is one of my PR to address a false positive caused by a Roblox update: https://github.com/Epix-Incorporated/Adonis/pull/1203

I still partially agree for the option tbh, it looks like some people using Adonis don't really know how to tune & debug Adonis, let alone creating their own anticheats or even scripting all alone. Plus more skilled exploiters are offering their own scripts to those skids even though there's still a chance that a skid will, unknowingly use a non-chad executor and the script spits out an error with blacklisted words in it.

[moo1210]

I still partially agree for the option tbh, it looks like some people using Adonis don't really know how to tune & debug Adonis, let alone creating their own anticheats or even scripting all alone.

This is the main problem, Adonis, never should've been doing anything beyond protecting itself as an anti-cheat. That was never its intended purpose or job. It's an admin system, not an anti-cheat system. People don't want to configure a built-in anti-cheat perfectly to get their admin system to work without kicking half of their players. That should be a separate project outside of Adonis, but realistically, it still would still have the same false-detection problems, and would still be a massive hack, Adonis or not.

Also, the way most of these "anti-cheats" built into Adonis is inherently flawed. Most of them are just depending on undocumented Roblox functionality that can change at any time, or depend on even weirder stuff, that the developer can affect, like prints to the console log. These issues have happened, time and time again, ever since the introduction of most of these features into Adonis. Wherever it's from a developer prints something that we recently "blacklisted", Roblox updates Lua VM behavior, or updates how an Instance reacts or responds, it ends up kicking people from games.

Tbh it's not really caused by Byfron. At least for me, most of the skids (which actually counts over 80% of the exploiters in my games) are still detected even by Adonis alone

So I presume all your exploiters all on UWP or Android then? Byfron is planned to come to both, with UWP coming first (as well as it moving to 64-bit). So, it's only a matter of time, before those are also patched out (somewhat) properly, without hacky client-sided Lua scripts.

[ccuser44]

I don't think any of these even actively flag genuine exploiters now that Byfron is deployed on Windows clients, it looks more like they just keep falsely flagging players after Roblox updates something.

Thats just not true. Byfron cannot cause Adonis to be detected.

What is happening is that Byfron fixed most professional exploits so exploiters switched to half baked broken exploits (like Celery) which use UWP or mobile version. These exploits do not have vulnerability fixes which makes them detectable by Adonis, that is the source of detections, not false flags. This can be confirmed by increased posts on exploiter forums requesting for "Adonis bypasses."

---

This is the main problem, Adonis, never should've been doing anything beyond protecting itself as an anti-cheat. That was never its intended purpose or job. It's an admin system, not an anti-cheat system. People don't want to configure a built-in anti-cheat perfectly to get their admin system to work without kicking half of their players.

Sceleratis literally was part of the Roblox anti cheat consortium and Epix Incorporated had a exploiter banlist in 2016. Epix Inc used to even advertise Adonis as an anti cheat.

Again because there is an anti cheat people expect it to be there. I would say it's a net positive if a lot of games are given a blanket protection for them not having to do any effort to configure it. Less exploiters in Roblox is a net positive.

[moo1210]

literally was part of the Roblox anti cheat consortium and Epix Incorporated had a exploiter banlist in 2016. Epix Inc used to even advertise Adonis as an anti cheat.

Yeah, back in 2016…. A a lot a changed both in Adonis’s anti-cheat and Roblox, from filteringenabled, to network ownership, to Byfron.

[moo1210]

(Also didn’t mean to close that was a mistap on mobile, although there is a open PR)

[alau740]

do we even need an anti exploit in adonis anymore

[Dimenpsyonal]

Wasn't it discussed that all these detections on the client would either be off by default or removed earlier this year? @moo1210 yes it was. Unfortunately lazy maintainers

[alau740]

Wasn't it discussed that all these detections on the client would either be off by default or removed earlier this year? yes it was. Unfortunately lazy maintainers

@LiveFireExercise i remember saying something on the discord like a year ago saying we should disable anti by default

[Dimenpsyonal]

@LiveFireExercise i remember saying something on the discord like a year ago saying we should disable anti by default

@alau740 yea and a year later nothing has happened

[ccuser44]

literally was part of the Roblox anti cheat consortium and Epix Incorporated had a exploiter banlist in 2016. Epix Inc used to even advertise Adonis as an anti cheat.

Yeah, back in 2916…. A a lot a changed both in Adonis’s anti-cheat and Roblox, from filteringenabled, to network ownership, to Byfron.

But Byfron doesn't apply for UWP. Which most exploiters now use.

Exploits developed for UWP are bad and that makes them detectable for Adonis. The detections you are seeing are valid detections from bad quality exploits like celery (expect the ones relating to new Roblox changes)

In fact because of this the AC has become more relevant not less.

Also I don't see why the detections should be disabled on old loaders? If people have issues with them then they can just disable them manually.

[alau740]

But Byfron doesn't apply for UWP. Which most exploiters now use.

Keep in mind that roblox are making the uwp client 64-bit and are likely going to add byfron to it

Also I don't see why the detections should be disabled on old loaders? If people have issues with them then they can just disable them manually.

a lot of the time the detections dont work properly and throw false positives

[ccuser44]

I made a pull #1205 which makes it so that the user does not get punished if they have the 64-bit client/hyperion enabled.

It alleviates the primary concern of the issue without force disabling all ACs on all loaders.

It could also allow to debug potential false positives in the future because the log messages would tell if hyperion is enabled and if so know that its a high likelyhood that said detection is false

The pull also makes debugging the AC a lot important because now it will tell the device being used

[ccuser44]

But Byfron doesn't apply for UWP. Which most exploiters now use.

Keep in mind that roblox are making the uwp client 64-bit and are likely going to add byfron to it

Well currently thats not true. Until Roblox adds Hyperion to the UWP client then it doesn't make sense to already disable it. It's not even clear if they will ever be able to add this to phones and xbox.

---

Also I don't see why the detections should be disabled on old loaders? If people have issues with them then they can just disable them manually.

a lot of the time the detections dont work properly and throw false positives

Which ones? You can't just tell there is an issue but not tell what the issue is. It's just like going to a doctor and saying "I'm sick please heal me!" and refusing to tell any further information.

The only false positives that I know recently of are with the log detector checking "getgc" in messages and false detecting a Roblox message, which is already fixed. All other problematic detections have always been disabled by default.

I don't think that justifies disabling the AC on all games expecially when they can't re-enable them because they don't know about the new setting.

Also the addition of the 64-bit client and Robloxes Hyperion have actually made the Adonis AC more relevant because exploiters use worse quality UWP exploits (like celery) which are more easily detected by Adonises AC, which can be confirmed by the increased amount of posts on exploit forums asking for "Adonis AC bypasses".

If this was done then we need to make an Adonis urgent message to let game owners of old loaders know that the AC is disabled and that they need to re-enable it.

[moo1210]

do we even need an anti-exploit in adonis anymore

Realistically, the whole thing could probably just be moved to the Adonis-Plugins repo or removed. It seems pretty useless to even have disabled by default in Adonis, pretty much just bloat.

[moo1210]

Which ones? You can't just tell there is an issue but not tell what the issue is. It's just like going to a doctor and saying "I'm sick please heal me!" and refusing to tell any further information. The only false positives that I know recently of are with the log detector checking "getgc" in messages and false detecting a Roblox message, which is already fixed. All other problematic detections have always been disabled by default.

Also, I just noticed this one, after editing my one of my mobile responses typos I found (2916 -> 2016). Literally, just look at the Discord (which is where most of our support inquiries end up) lol. People complain about it quite often, and we just tell them to turn it off, and that's exactly what they do, and that's what it does by default on new loader settings, there's no reason it shouldn't apply to old loaders either since people keep complaining about it.

In terms of "just tell there is an issue but not tell what the issue is", that's quite ironic (especially when the issue has been made pretty clear in the issue and on Discord by multiple different people), because in #1202, today, that's exactly what you did.

What I mean is introducing unnecessary Luau syntax isn't good And string interpolation is not necessary

---

On more a general note, we also have to keep in mind Adonis's current update cycle isn't very often anymore, and a hacky client-sided anti-cheat that depends on undocumented Roblox behavior would need to be updated right when Roblox updates, not 6 months later.

[ccuser44]

Which ones? You can't just tell there is an issue but not tell what the issue is. It's just like going to a doctor and saying "I'm sick please heal me!" and refusing to tell any further information. The only false positives that I know recently of are with the log detector checking "getgc" in messages and false detecting a Roblox message, which is already fixed. All other problematic detections have always been disabled by default.

Also, I just noticed this one, after editing my one of my mobile responses typos I found (2916 -> 2016). Literally, just look at the Discord (which is where most of our support inquiries end up) lol. People complain about it quite often, and we just tell them to turn it off, and that's exactly what they do, and that's what it does by default on new loader settings, there's no reason it shouldn't apply to old loaders either since people keep complaining about it.

Nearly all expect 1 of them are about the coregui check which is optional and disabled by default so I don't think they qualify. There have been issues in the past but nearly all of them are fixed and it's quite stable now. The only potentially problematic detection that are on are the log detectors and the toolcheck. But that certainly doesn't mean that all are problematic. Also most of them aren't "undocumented". A lot of them (all in Anti.lua rely on Lua/Luau features which are well documented, they just do it in a clever way).

[moo1210]

Also by the way, Byfron was added to the UWP client today, so this is even more relevant now.

[Dimenpsyonal]

iOS exploiting

[alau740]

wasnt byfron going to be added to the android client im not sure if its possible to be added to ios because of app store/apple security rules