Version 0.3 10.07.2003
Author: Daniel Rudolph aka Enforcer
That is the most powerful detection part of ServerWatch AntiCheat - you can setup nearly every case that comes into your crazy brain - if not send me a note
One sentence: You can setup what you like on a players computers and what you dislike.
That detection includes files in the Moh dir, also what AntiCheat Client they are using and last but not least any process that is running with any dll that is used from a process.
I think there are at least 2 basic concepts to setup that file detection stuff.
The first way is quicker but not that save like the "hard way" – i think it is not possible to detect all cheats with that method.
You simply check in all files you don't like and/or you think that are cheats – this is done by checking in the files in the mode "not allowed to have".
You can add an cheat report and all Informations and Options you like on detection of that file - by adding the report you will get nice reports (console message) for the players that have an positive match on that file with ServerWatch AntiCheat.
The name should be in some kind of connection to the cheat because thats something the Players that are playing at the Server will get to know.
Example for an bad Name: filedetection1
Good Example: AimBot Ultrahack
I think if you setup your ServerWatch AntiCheat in that way you might have some work to do – but the result is a much harder to trick ServerWatch AntiCheat Configuration.
The trick is to add all files you like and forbid the rest.
It sounds simple but the problem is to obtain all the different checksums for the allowed files - if there are differences in the localized versions and other problems like that. After you have added all stuff you like its really easy - just setup an filter rule that is matching the rest (all the Stuff you dont like) and simply blame/kick/ban for that filter.
The best way in my eyes is it to mix that 2 basic rule set ideas.
Add some known cheats you want to detect in special and filters in that way you make it easy for ServerWatch to report a special cheat that is used from the player and not only telling him that he has changed something and good boys don't to so.
If you don't add the special filters for special cheats ServerWatch can detect them maybe because to get them work the users have to change something in an file that is checked from you against the know checksums and you are forbidding the rest. The the problem with that rule set is easy to get - you cant see what cheat the scanned player is using. The solution to that problem is also very simple as mentioned before. Besides the withe list of files that are added as “must have” or “must have one in same group” to make it possible to white list some different versions of a file you just add the cheats you want to get reported in special as “not allowed” and in that filter rule you can define what you want to be reported to the players and how log the player should be banned and so on.
That was generally and description how to detect files – like the pk3 files but processes are little different. If you get the basic ideas how the filtering can be used that should be no problem. But don't forget that process filtering can be very useful to detect aim bots and other stuff like that.
That is just to keep you in mind that you can be very restrictive but you don't need to be automaticly if you are using ServerWatch.
You can add the msn messenger if you like and count it as cheat and also and aim bot an special pk3 file - that doesn't make any difference for ServerWatch. ServerWatch just looks in the mode and if the filter matching the file/process it just make sure the mode that is set for that filter is fulfilled.
How you can handle all that features with the little dialog? I hope that is something you at least have an basic idea of after reading a little bit in that document.
I think now the best way to explain whats happening is to explain the basic strategy how ServerWatch checks a connected client. First of all if ServerWatch receive some Data from a ServerWatch AntiCheat Client the data get sorted to a special type.That can be types like: "files from the Medal of Honor Dir" or "files from the ServerWatch AntiCheat Dir", "process list", ...
After that decision ServerWatch scan the received data and check all filters that are available for that special type – are matching or not.
The data must pass some test after an other (always in the same order like described below).
This tests are always against the complete lists of rules for that selected data type – each run is for an other matching mode (like can have ot not allowed to have)
First of all ServerWatch will take a look and find all files that are matching the "must have" mode filters.
If there is a file missing in the special type like ACDir then we have a report of a missing file. If a file matches the mode and all the criteria like checksum, path , type (like ACDir) are matching it got deleted from the file list of the files that should be checked the consequence is that the file will match no other filter like files with can have.
Why do I explain that in detail?
Because the consequences of deleting the file on a match from the list of files to scan after the file is matching a rule.A file that gets checked might match a filter in mode "must have" and also an filter in not allowed to have mode but the not allowed filter will never match because the file was deleted from the list of files that should be scanned because it was matching the must have already and got deleted from the list of the files that should be scanned.
Because of that behavior if is possible to create generic filter in not allowed mode that will match every file that is not accepted in special.
That mode behaves nearly like the must have mode. All files from the list that should be check (are active), get checked after an other - if a filter matches in that mode it got deleted from the list of files that should be checked against the filters.Also the Group condition "as must have one in same group" is fulfilled in that case and no report is generated.After all files are scanned over and they are still missing files in some groups the group is passed to the report generator what will generate the Cheat/File Report.
The report depends in the group master item of that group. The master Item decides who the report to the players are generated and also how to kick players – in short: the hole kick/ban/description setup is taken out of the group master item
Why do we need some group filters ?
One example is the situation of different versions of a file like localized version of pk6 or something else.If you want to make sure the user has one of the versions must have one in the same group is perfect for you.
That one is just for take out that files from the received file/process list that are not wanted from you in special but are accepted. By using that mode you can write filters for files that should not match "not allowed" filters but the file is not a must have and must be present on the players computer.
How to do this?
Write some filters in can have mode that will match all files that you like but that are not needed. Add an rule that will match all other files (for example all other dlls) and add this in the mode not allowed to have. With that Setup you can make sure that users dont have files of that type you dont like – only files you know. Also custom maps or mods is an good example. You maybe don't want to force Players to have all of that maps/mods but you are fine with them if they have some of them. Also a player should not be forced to have exactly all custom maps you have added.
The big advantage in filtering all custom maps or packs you like is that you can ban players for having other maps and packs but you also can add custom maps you like and want to play. That packs contains everything you like maps/skins that doesn't matter for you as long you can be save there are no cheats in that pk3 file. After you have sorted out all files a user may have you can kick users with unknown pk3 files.
The only problem you have in that case if a player have an other custom map than you already have added as can have. That can only solved by the user – he must send you the pk3 file he wants to use and you can test it. After you made sure that file is ok just add it to the list and the user can play with that custom pk3 file installed.
Add all files you like (all pk3 files for example) in can have mode. But also add an general filter with no special checksum (only the patch filter) to match all other pk3 files. That second general filter must be in not allowed to have mode for sure.
But that's only one way to use it. I hope you get a little close what is possible with that 3 different options to allow an file and why they are necessary.
After all the others filters has not matched for a file that get scanned the is not allowed mode scan is starting.
All files that are matching now get reported to the report generator as not allowed to have. That generator also checks the kick/ban condition and handle the different settings for the different filters.
Now you should know what the difference between the different filter modes is in general - if not my readme is really bad or you should read it again and try to understand it. The next parts of that file will describe how ServerWatch behavior on a matching filter can be used
maybe you already noticed you can kick and ban for every filter mode - not only for not allowed to have. That's just a feature to setup all crazy setups that you like. The modes are different because of the different handling of the detection that was readable above.
You can setup count as cheat for every filter you like. If that filter is matching the report generator will handle that matched filter as cheat. So that is imported for the player reports if you mark that it will be reported as "ServerWatch found a cheat". If you dont make that option it will only get reported as matched but not as cheat.
Example: You can setup an filter that will show you on line if a player is using TeamSpeak or not.
That option changes the ServerWatch behavior on an detection. IF you check that option ServerWatch will send an console message to the server (all players that are on line) that the filter was matched.
You also can setup how many of the found files (that was matching that one filter) should be send as console message. That option will not make any difference for the Player report of ServerWatch.
With that options you can control the report to the player Report Log if a filter was matching something.
Some filters are not that useful to write an log for it. One example are custom maps. Maybe you don't want that all custom maps you added (maybe in can have mode) and also was found on the players computer are logged to the Player report. In that case disable the logging.
If a new Report is added to a player ServerWatch also checks if it should send a new Email report to the mail addressed that are setup. To disable that check you can use the do not check option to order ServerWatch not to check that (Example you don't want to get an mail because a user was matching a checked exe file or something – only cheats should trigger mails – in that case disable the trigger for everything else than cheats)
If you want a player to get kicked because his files/process data was matching that filter mark that option.
You also can setup a count of detections that is fine for you until the player get kicked with the message after. In that case the filter have to match x time before the user get kicked.
The delay is good if you want to make it possible for the user to read the kick message.
Its like on the kick player. If you have enabled kick also you can set a count of kicks until a user get banned. If you are not kicking for that filter you can set a count of detection until the user get banned.