On Roblox, viruses refer to malicious scripts that can clone themselves to multiple instances within the engine's data model. Viruses have the common intent to spread to many models as possible as well as using up more resources than the server can handle. Other viruses may also do more damage within a place or experience, such as using methods of scamming visitors (e.g. MGX Gui), providing backdoors for exploits, or overwriting data stores, as well as making use of HTTP requests, if enabled.
Oftentimes to avoid being found easily, viruses hide under certain classes, commonly those of the JointInstance class, or under invisible services such as Geometry. Viruses also usually name themselves that is contrary to its function, such as "anti-lag" or "antivirus". Because of its stealth methods, many viruses circulated within free models of the Creator Marketplace, primarily due to users' first-time experience of uploading models or inserting them in Roblox Studio. In response, a message now appears whenever a user tries to insert a model with one or more scripts.
Malicious plugins may also insert viruses without the user knowing. These plugins are often copies of other popular plugins with malicious code added and use the same name/description/icon to trick users.
What viruses can do[]
Viruses can damage gameplay experiences in many ways.
- Spam free-model purchase GUI elements
- Show pop up messages using GUI elements
- Causing server and/or client lag by scripts caught in infinite loops
- Generating objects such as fire or blocks
- Clearing or massively modifying terrain
- Corrupting data store data
- Blocking access to data stores from real game scripts by spamming data store requests
- Renaming scripts or objects, making scripts reliant on checking for objects being named exactly a certain way experience errors and stop working correctly
- Disabling or deleting real scripts, causing games to malfunction or even stop working
- Teleport people to different places
- Giving players chosen by the virus creator access to tools and functionality to mess up game worlds any way they want, such as "admin" chat functionality
- Trigger seizures in certain people by rapidly flashing colors and patterns on screen using GUI elements
- Create an unanchoring script, causing the game to experience mass destruction of visible 3D objects
- Selling passes made by the virus creator upon joining, resulting in loss of Robux for users
- Infinite duplication (when deleting a RotateP or RotateV with no name)
Viruses cannot give hackers access to your Roblox account or harm your computer beyond the Roblox game it has infected. Infected free models only set things in your game on fire and/or make it easier for people to exploit in your game. They could potentially give the virus owner admin in the targeted game, although it is rare.
Virus sources[]
Viruses can come from three sources:
- The most famous source of viruses are from Free Model objects. Some objects are created with virus scripts in them so that they spread to other places, and can spread to other objects which may then be uploaded as Free Model objects.
- Although uncommon, viruses can sometimes be intentionally placed in places by potentially malicious creators while editing the place.
- A more dangerous method of inserting viruses is by Roblox Studio plugins. They have the ability to modify script source code to secretly infect scripts that were not previously virus scripts and turn them into virus scripts themselves. Initially, these scripts may seem to not be infected as code may be inserted into the middle of long scripts, but a closer inspection can reveal code that is not intended to be there. Viruses created in this fashion may use global variables to check if they were the original script and if so then clone themselves only once, set a global variable flag, and continue as if they were the original script, while the clones detect that the flag has already been set and function in its full malicious capacity with a new name, so that it is less likely that the viruses can be scanned.
Hiding tactics[]
Viruses are hidden inside objects that are not shown in the Explorer Window. These are known as "Hidden Classes". Common viruses will use hidden game services such as Geometry. Others may use joint objects like Welds, Glues, RotateP's or RotateV's.
These classes are not hidden in Roblox Studio 2.0 and thus the malicious scripts can be easily discovered and removed. However some of the instances in the DataModel's root is still hidden as you will see items such as the InsertService show up in the command line and not in the Explorer window.
People also use the mostly unnoticeable "�", which has to be copy pasted into the search bar to find quicker, but when people overuse this, it is quite easy to find.
Removing viruses[]
Save a backup copy before disinfecting your place, as you do not want to accidentally remove legitimate scripts and/or objects from your place, and a backup will allow you to restore missing scripts/objects. Some antivirus tools can catch words in safe scripts that will make them think they are viruses.
Manual removal via text editor[]
You must save your place in XML format to do this, as well as have a basic understanding of the XML language (it's not very difficult to get the hang of). Then open your place file with a simple text editor like Wordpad or Notepad. (Preferable Notepad++ if you have it.) Do a search (Ctrl + F) for a word mentioned in the virus. Normally the first result will be the actual code of the script. Find the opening object tag for the script, and delete it down to the closing tag, making sure you leave nothing unclosed. Do that for as many viruses as you have, save, then open that file with Roblox Studio. After performing these steps you should check and make sure that your place works and is clean of malicious scripts.
External Anti-Virus programs[]
It is completely possible to create external programs for detecting viruses in Roblox places. Roblox places can be saved using XML, so if your language can open files for reading and writing and parse the XML you can make one. It would also be safer to scan places using these as the viruses themselves would not run and you can examine the Source of the viral scripts for malicious code. The basic functionality of your programming language would have to be:
- File Input/Output for reading the .RBXM and .RBXL files.
- XML Parsing to read the .RBXM and .RBXL files.
- Advanced iterations to check all objects in the file.
Distributing an outside antivirus on the Roblox website would be against Roblox's Terms and Conditions as this would force the person to use outside links.
Preventing virus infections[]
Many builders and scripters have answered this question with a simple "Don't use free models!" They also do not recommend using unreliable plugins too much either. This is the only way to protect your place 100% from getting infected with a Roblox Virus. Most viruses come from and transfer themselves through Free Models. There are other ways to still use Free Models and not be infected with a virus, so long as you do not make your entire game out of free models, this gives a high possibility to get your game infected.
Since scripts do not run when the game is paused, pause your game right before you insert the model. If you have an antivirus, it will still run if it was inserted before you paused the game. Scripts added when the game is paused will not run, so you can check yourself and with an antivirus before un-pausing the game.
However, not putting free models in the game won't completely protect you from viruses if you're using Plugins, which can have viruses in them; a not so well-known fact. Scripts in installed Plugins do run even when the game is not running, otherwise plugins wouldn't work in Roblox Studio. Before using a Plugin, check in a blank place to make sure that the Plugin does not insert malicious scripts without you knowing. Run the place to make sure that nothing happens in the blank place, as if unknown scripts appear to be running in a "blank place" that means that the Plugin has inserted infected scripts into it, and would most likely take malicious actions in a real place.
Of course, if other people are involved in making a place, such as in Team Create, a few people may place malicious viruses in the place, or code them directly in the place. Make sure to check for scripts in the game to ensure that they're not malicious. If malicious scripts are detected, someone is trying to sabotage your creation, and the perpetrator should be found and banned from your development team.