New Major BattlEye Anti-Cheat Features

[Magotchi 74]

You can't filter for servers based on their banlist, but if you play in a server for a while, you might catch a person get banned with a reason in the format of "W 0dXXXXXX 0xXXXXXXXX", and you'll then know you're in one that uses it.

Alternatively, you could join a server, try to access the Server Control interface in-game, take a note of what script restriction number you get kicked for, and see if it matches the detection entry number for dedicatedServerInterface.sqf in the latest version of the DCB scripts.txt (currently #197 I believe). I think it's #183 if they're using the current default scripts.txt provided by the DayZ team. To find the current number, I believe you just delete any lines from scripts.txt that are commented out (that start with "//"), and then just look at the line number, but I could be wrong.

EDIT: I'm slightly off, it turns out, but the numbers should be pretty close to what I said (within a few). There's probably a good way to count them, but I'm not feeling very experimental at the moment.

Edited August 21, 2012 by Mister_Magotchi

[Numi 9]

Sorry I wasn't clear. I knew that you couldn't filter the servers for that but what I meant was if there is a list somewhere of the servers using it, like server admins submitting their servers into a list so everyone knew the servers that are using these event logging filters.

Still, thank you for the answer. Didn't knew about the ban reason format and I'll be watching for that.

[tsandrey 379]

Guys, is BE going to detected a custom skin as a cheat?

Look at this video:

Edited August 21, 2012 by TSAndrey

[(OCN)Vortech 65]

Guys, is BE going to detected a custom skin as a cheat?

Look at this video:

No it's part of ArmA 2, but admins can block it in the configuration of the server. We choose to block it on ours as it can negatively effect performance for our players and the only people doing it early on were griefing and the less desirable.

Edited August 21, 2012 by (OCN)Vortech

[byteslam (DayZ) 0]

Do NOT ban for this line. It's legit and after little investigation (huge one) it will come for some strange reason.

I see no reason why it should be legit to call a createVehicle which spawn a usable device, (exceptions are wrecks and craters).

In all other cases, it will lead immediately to a ban.

Banned players can join the TS and I will give it a deeper look, but so far all of these guys who tried it never complained... means all of them (about 157 since two weeks) are guilty.

Since I use always the latest scripts.txt createvehicle.txt and remoteexec.txt (auto synced and loaded every minute) and the community ban list in combination with BEC and DayZAntihax, we face no real cheater incidents anymore. The game runs smooth and makes fun again.

However I am willed to risk a minor false positive, if someone complain I will immediately investigate and remove the ban if I can proof it was legit..

We receive a lot of positive comments from the players on our server, all of them appreciate these strong counter measures.

Edited August 21, 2012 by byteslam

[hohlraum 9]

I've been seeing a few of these:

"if (name vehicle player == TTT5NamePl) then {_xcompiled = compile TTT5derCode;call _xcompiled;};"

Anyone know what these people are doing? Is that something with thunderdome?

[smokie_23@hotmail.com 4]

What is happening here? This is the only person with this type of script being logged and its spammed anywhere from every 3 seconds to around 60 seconds.

20.08.2012 18:04:03: Rinzler (IP) GUID - #118 "_int=_int - 0.02 - rain/10;};
sleep 3;
};

deletevehicle _fl;

while {(_int>0.7) && !(alive _v && _l"

20.08.2012 19:35:56: Tobiobi25 (IP) GUID - #20 "ndom _int)>2.2) then
{
_b="SmallSecondary" createvehicle (getpos _v);
};
};"
20.08.2012 19:35:56: Tobiobi25 (IP) GUID - #20 " 2) < 0)) exitwith {};
_b="SmallSecondary" createvehicle (_v modelToWorld _effect2pos);
} foreach (_"
20.08.2012 19:35:58: tomm (IP) GUID - #0 "#line 1 "scripts\p.sqf"






player addAction ["kill","\scripts\kill.sqf"];
player addAction ["chop"
20.08.2012 19:36:00: tomm (IP) GUID - #17 "sqf"
player addweapon "ItemHatchet";
'Goat' createunit
[
[(getpos player select 0), (getpos player"
20.08.2012 19:36:00: tomm (IP) GUID - #20 "




if (isServer) then
{
(vehicleToSpawn createVehicle (position beeeh))setVariable ['ObjectID', 5"
20.08.2012 19:36:00: tomm (IP) GUID - #49 "eeeh = this', 1.0, 'PRIVATE'
];

beeeh addMPEventHandler ['mpkilled',
{
vehicleToSpawn = 'UH1H_DZ'"
20.08.2012 19:36:00: Tobiobi25 (IP) GUID - #130 "isDedicated"
20.08.2012 19:36:12: [STD] Sev (IP) GUID - #118 "ig] call BIS_fnc_invAdd;
if (_isOk) then {
deleteVehicle _holder;
if (_classname in ["MeleeHatchet","






player addAction ["kill","\scripts\kill.sqf"];
player addAction ["chop"

Edited August 21, 2012 by Smokie23

[smokie_23@hotmail.com 4]

I've been seeing a few of these:

"if (name vehicle player == TTT5NamePl) then {_xcompiled = compile TTT5derCode;call _xcompiled;};"

Anyone know what these people are doing? Is that something with thunderdome?

Yes, it seems they be trying to thunderdome. Heres some links about that script.

http://dayzmod.com/forum/index.php?/topic/75625-cheat-report-7-player-stoney-with-logsguidproof/

http://dayzmod.com/forum/index.php?/topic/75574-4-thunderdomers-and-a-heli-spawn-tonight/

http://dayzmod.com/forum/index.php?/topic/75528-caught-another-thunderdomer/

[Frop 33]

Double post, crap.

Edited August 21, 2012 by Frop

[Frop 33]

Are these events related and is someone being naughty here?

21.08.2012 13:27:29: <hidden> (<hidden>) <hidden> - #38 "[this] spawn BIS_Effects_AirDestruction"
21.08.2012 13:27:30: <hidden> (<hidden>) <hidden> - #38 "[this, 0.0906445, 31764.2]spawn BIS_Effects_AirDestructionStage2"
21.08.2012 13:27:30: <hidden> (<hidden>) <hidden> - #38 "[this, 0.0906445, 31764.2,false,true]spawn BIS_Effects_Burn"

21.08.2012 13:27:30: <hidden> (<hidden>) <hidden> - #0 "HelicopterExploSmall" 63:95 0:0 [13320,3214,67] [0,0,0]
21.08.2012 13:27:30: <hidden> (<hidden>) <hidden> - #0 "HelicopterExploBig" 63:96 0:0 [13320,3214,68] [0,0,0]

During the next hour or so the next event was logged in scripts.log for almost all players.

21.08.2012 13:27:30: <hidden> (<hidden>) <hidden> - #68 "];
_Crater setdir (_dir + (180 * _i));
_Crater setpos [_pos select 0, _pos select 1, 0];
_Crater set"

Edited August 21, 2012 by Frop

[smokie_23@hotmail.com 4]

Are these events related and is someone being naughty here?

21.08.2012 13:27:29: <hidden> (<hidden>) <hidden> - #38 "[this] spawn BIS_Effects_AirDestruction"
21.08.2012 13:27:30: <hidden> (<hidden>) <hidden> - #38 "[this, 0.0906445, 31764.2]spawn BIS_Effects_AirDestructionStage2"
21.08.2012 13:27:30: <hidden> (<hidden>) <hidden> - #38 "[this, 0.0906445, 31764.2,false,true]spawn BIS_Effects_Burn"

21.08.2012 13:27:30: <hidden> (<hidden>) <hidden> - #0 "HelicopterExploSmall" 63:95 0:0 [13320,3214,67] [0,0,0]
21.08.2012 13:27:30: <hidden> (<hidden>) <hidden> - #0 "HelicopterExploBig" 63:96 0:0 [13320,3214,68] [0,0,0]

^^ this logs (BIS_Effects_AirDestruction) seem to be from when a player crashes and destroys a vehicle. I believe they are legit and not hacks.

Edited August 21, 2012 by Smokie23

[Frop 33]

^^ this logs (BIS_Effects_AirDestruction) seem to be from when a player crashes and destroys a vehicle. I believe they are legit and not hacks.

That can't be right, because these entries appeared in remoteexec.log. I have personally crashed a tractor last week and yesterday one of my mates crashed his UAZ right into a tree. No entries appeared in any logs (createvehicle/scripts/remoteexec) indicating the subsequent explosions (the tractor also had a secondary explosion from a full jerry can).

[smokie_23@hotmail.com 4]

That can't be right, because these entries appeared in remoteexec.log. I have personally crashed a tractor last week and yesterday one of my mates crashed his UAZ right into a tree. No entries appeared in any logs (createvehicle/scripts/remoteexec) indicating the subsequent explosions (the tractor also had a secondary explosion from a full jerry can).

Im no expert on arma scripting but when I google it and search it. I find many threads and users saying its from vehicle/heli crashing.

http://dayzmod.com/f...om/#entry725329

Edited August 21, 2012 by Smokie23

[tickle_me_jesus 37]

Any of you guys have checked their bans.txt lately? I am with Vilayer hosting and today we got advised to update the servers. Did that and upon checking the bans.txt I noticed the GUIDs that were banned from my server as I had caught them in my remoteexec.log we're missing.

No big deal, I just add them again if needed. So I tried adding them but it seems the bans.txt won't save new entries you put in manually. I have tried adding the GUIDs through Arma2 RCon GUI and by manually editing the bans.txt file on the server >>> no dice.

Are you fucking kidding me?! We can't add GUIDs manually? Or did I miss the memo?

Edited August 22, 2012 by tickle_me_jesus

[hohlraum 9]

Anyone know if there is a scripts/remoteexec.txt entry that can detect players warping vehicles around the map? We had someone do it last night while I was in the vehicle. absolutely nothing in the scripts/remoteexec.log files when it happened.

[tickle_me_jesus 37]

Anyone know if there is a scripts/remoteexec.txt entry that can detect players warping vehicles around the map? We had someone do it last night while I was in the vehicle. absolutely nothing in the scripts/remoteexec.log files when it happened.

I would like to know this also. I can't find any 'teleporting' script in the remoteexec.log and I'm sure there are players doing it. Anyone can tell me what entrie I should look for in the logs to catch a player who teleported himself?

[KField86 237]

I would like to know this also. I can't find any 'teleporting' script in the remoteexec.log and I'm sure there are players doing it. Anyone can tell me what entrie I should look for in the logs to catch a player who teleported himself?

Jesus, I'm also with Vilayer hosting. After updating today, I noticed my remoteexec/createvehicle/scripts look to be OLDER revisions. Not the latest ones from Dwarden that you can find on the community ban-list website. I spoke to lee about this, and he told me this was what rocket told them to use. I think Rocket may have been a bit late, because the files do not log and or kick for half the things the new ones from dwarden used. Can you look and compare? I updated my files to what I was using before the update today to be safe, because like I said, my remoteexec.txt file after the update today was practically EMPTY of things to check for.

Until I get confirmation on this from rocket, I'm going to be using the ones Dwarden himself has been posting/updating on the community ban list site. Also, I really hope you are mistaken about our local bans being removed. I have a feeling the vilayer update today changed the bans.txt if so. Which is disturbing.

What I am happy about is the new features that are working behind the scenes, which are supposedly new and not released entirely yet. Something to do with clients files, and if they don't match specifically what the server is running, it will kick players. I don't exactly know how it works, I only got a brief description from Lee. Seems that the update also changed the settings which allows custom faces. I had them enabled originally to be able to identify certain hackers via their skin( with help from eye witness accounts ) but now it's been changed to not allow them. I don't really mind if so. Play the game stock or don't play. :)

Edited August 22, 2012 by KField86

[tickle_me_jesus 37]

Well, you are indeed right about the remoteexec.txt being reverted to an older version. I also made the changes manually so it is using the latest one available.

I'm pretty much fed up with all this and Vilayer to be honest: earlier today I got an e-mail if I could explain why my server was changed to 64 slots? WTF? Seriously? I can't even change the smallest thing on the server but now they are 'implying' I changed the amount of slots available on the machine. I would suggest looking at your own doings before starting to point the finger at me.

The server has been going in and out ever since. I gave them my piece of mind and if they don't fix it and supply me with an explanation of what happened to the server they can shove it. Not mad, but I pay for a service and they need to provide. If they don't or do it in an unreliable way I would be foolish to continue paying.

Edited August 22, 2012 by tickle_me_jesus

[tickle_me_jesus 37]

To add to the ongoing admin-bashing; it seems they are resetting the remoteexec.log each time to this version

1 "" !"this enableSimulation false;this allowDammage false;this disableAI 'FSM';this disableAI 'ANIM';this disableAI 'MOVE';" !"spawn BIS_Effects_AirDestruction" !"spawn BIS_Effects_AirDestructionStage2" !"spawn BIS_Effects_Burn"
5 "compile"

LOL, that will be usefull. It baffles me how little communication there seems to be between the DEV team, the server hosters and the admins / community.

Edited August 22, 2012 by tickle_me_jesus

[Frop 33]

I could recommend getting one at www.i3d.nl (hosting all over the world), because my server has been running pretty well thus far. They're going to introduce ARMA/DayZ update packages for installation through their GUI, they're quick to reply to mail and are generally very helpful. They don't have a whitelist deal (yet) though, so it might take a few days before your server is whitelisted. All in all I have plenty of control considering it's managed and they certainly don't feel the need to dictate how I run my server.

Edited August 22, 2012 by Frop

[KField86 237]

To add to the ongoing admin-bashing; it seems they are resetting the remoteexec.log each time to this version

1 "" !"this enableSimulation false;this allowDammage false;this disableAI 'FSM';this disableAI 'ANIM';this disableAI 'MOVE';" !"spawn BIS_Effects_AirDestruction" !"spawn BIS_Effects_AirDestructionStage2" !"spawn BIS_Effects_Burn"
5 "compile"

LOL, that will be usefull. It baffles me how little communication there seems to be between the DEV team, the server hosters and the admins / community.

Right, so it's kicking for ONE remote execution event. Jesus christ. Everyone with managed servers better check your files or this new "hacker prevention" update is going to backfire rather quickly.

Everyone with a vilayer server needs to goto community dayz ban list, and look browse for the latest files updated by dwarden, then edit/copy/paste the new lines into your folders. BEFORE you even start your server, or hackers will be able to do pretty much anything they want. This needs to get brought to lee's attention quickly but I'm fairly certain he's just going to eat what rocket is feeding him/them.

http://code.google.com/p/dayz-community-banlist/source/browse/#git%2Ffilters

Use these files!

Edited August 22, 2012 by KField86

[TheWeedMan 132]

Is it just me or is anyone else finding this log setup pretty fucking shitty compared to the way the old BattleEye scripts was produced?

[Magotchi 74]

It's hopefully just you. I like it a lot.

[Frop 33]

(...) BEFORE you even start your server, or hackers will be able to do pretty much anything they want (...)

Not quite, you can reload all the filters at any time using the BERCon utility (http://community.bis...i/BattlEye#RCon) and the accompanying loadscripts/loadevents commands.

Edited August 22, 2012 by Frop

[KField86 237]

Not quite, you can reload all the filters at any time using the BERCon utility (http://community.bis...i/BattlEye#RCon) and the accompanying loadscripts/loadevents commands.

Right, but you definitely need to update your files as the ones produced today in this new update weren't the newest ones to my knowledge. I know you can reload while the server is running.