14 replies to this topic

[Amit86]

Hello all

I started using warden a few days ago and I am getting lots of results
By now I figured failed on 209 is a big no no so I added it to the warden_action as an auto ban

I am getting lots of other numbers aswell which doesnt have any description in the warden_checks table and dont know what to do with them
for example:

failed Warden check 437. Action: None
failed Warden check 442. Action: None
failed Warden check 785. Action: None
failed Warden check 777. Action: None
failed Warden check 246. Action: None

How can I figure out which is which? is there any available guide?
Which one of those is worthy to be configured as auto ban?

[Ashikaga]

Confirmed! Need infos too...

[elecyb]

246 and 785 scans code region and can't be modified without 3rd-party programs.
437 scans .data region that is modified by the client, it can give false positives, ignore this one.
442 and 777 scans memory pages for specified hash, with just a hash you can't determine the propose of this check, some of them are for malware and some others for hacks.

All failed memory checks (type=243) means someone is using hacks, with the exception of 437 that give false positives.
For types 113, 191 and 178 I wouldn't set auto ban since it can be a malware on the client

hope it helps

[maestro]

437 is parental control, you can ignore that one my logs is floaded with that one.. truly 1 day 40 of them and no other failed checks
so in your char database you can set warden_action 437 to 0 > means log only

[Aokromes]

I wonder how that parental check think can be show on TC since TC don't have support for it.

[Ashikaga]

What about this ones?

2012-04-10 20:38:36 WARDEN: Player X (guid: X, account: X) failed Warden check 261. Action: None
2012-04-10 20:52:00 WARDEN: Player X (guid: X, account: X) failed Warden check 134. Action: None
2012-04-10 20:56:44 WARDEN: Player X (guid: X, account: X) failed Warden check 88. Action: None

[maestro]

What about this ones?

2012-04-10 20:38:36 WARDEN: Player X (guid: X, account: X) failed Warden check 261. Action: None
2012-04-10 20:52:00 WARDEN: Player X (guid: X, account: X) failed Warden check 134. Action: None
2012-04-10 20:56:44 WARDEN: Player X (guid: X, account: X) failed Warden check 88. Action: None

they are all type: 191

when you look in the core files of trinitycore and then warden in warden.h
then you see

 MEM_CHECK = 0xF3, // 243: byte moduleNameIndex + uint Offset + byte Len (check to ensure memory isn't modified)
	PAGE_CHECK_A = 0xB2, // 178: uint Seed + byte[20] SHA1 + uint Addr + byte Len (scans all pages for specified hash)
	PAGE_CHECK_B = 0xBF, // 191: uint Seed + byte[20] SHA1 + uint Addr + byte Len (scans only pages starts with MZ+PE headers for specified hash)
	MPQ_CHECK = 0x98, // 152: byte fileNameIndex (check to ensure MPQ file isn't modified)
	LUA_STR_CHECK = 0x8B, // 139: byte luaNameIndex (check to ensure LUA string isn't used)
	DRIVER_CHECK = 0x71, // 113: uint Seed + byte[20] SHA1 + byte driverNameIndex (check to ensure driver isn't loaded)
	TIMING_CHECK = 0x57, // 87: empty (check to ensure GetTickCount() isn't detoured)
	PROC_CHECK = 0x7E, // 126: uint Seed + byte[20] SHA1 + byte moluleNameIndex + byte procNameIndex + uint Offset + byte Len (check to ensure proc isn't detoured)
	MODULE_CHECK = 0xD9, // 217: uint Seed + byte[20] SHA1 (check to ensure module isn't injected)

well type 191 is : PAGE_CHECK_B = 0xBF, // 191: uint Seed + byte[20] SHA1 + uint Addr + byte Len (scans only pages starts with MZ+PE headers for specified hash)

and what that means i have no idea??, maybe its malware or adware thats interfering, if its your account then feel free to try malwarebytes update and do a free scan.

gr.

[Ashikaga]

thx!

[maestro]

well Ashikaga what about my question, is it your account and if so did you run malwarebytes.
the reason i ask this is that we ( me and some others ) want to know if some checks are related to maware or adware, so that we can positive say in the check description what it is.
The checks are sniffed from blizz so we dont always know wich check does what..
( in case above is incorrect about the sniff please correct my words )

[Aokromes]

Also, if we get proper list of malware checks we can change the text for those to malware warning instead ban.

[RedSonja]

So is 209 a bug, i just noticed that one player has a page of that. It is to be ignored or what?

[maestro]

no no no, 209 is definetly NOT a bug, its 100% wowemuhacker guys, no exception or question about it..

there is check 437 parental control, but i found out that ati tray tool is also triggering that check..

[RedSonja]

Thank you maestro for letting me know that. Is there a place that shows what these are or what kind of hacks they might be?

[maestro]

yes in the table itself warden_checks you see at the end a column comment.
sometimes there is a descripion if we know 100% sure what what is, but we still miss alot of them.
so its always good like Aokromes said earlier in this post to have more information about wich hack or malware activates a check.

[Hannibal2013]

And this....

 

failed Warden check 209. Action: Kick

failed Warden check 437. Action: Kick

failed Warden check 121. Action: Kick