Jump to content


NEW custom search, includes forums, wiki, github issues, TC sourcecode, irc logs, doxygen automated documentation; read more here
Photo

Warden Failed Checks - What Does It Mean?

warden

  • Please log in to reply
14 replies to this topic

#1 Amit86

Amit86

    Advanced Member

  • Members
  • PipPipPip
  • 49 posts

Posted 13 April 2012 - 09:26 AM

Hello all

I started using warden a few days ago and I am getting lots of results
By now I figured failed on 209 is a big no no so I added it to the warden_action as an auto ban

I am getting lots of other numbers aswell which doesnt have any description in the warden_checks table and dont know what to do with them
for example:

failed Warden check 437. Action: None
failed Warden check 442. Action: None
failed Warden check 785. Action: None
failed Warden check 777. Action: None
failed Warden check 246. Action: None

How can I figure out which is which? is there any available guide?
Which one of those is worthy to be configured as auto ban?



#2 Ashikaga

Ashikaga

    Advanced Member

  • Members
  • PipPipPip
  • 112 posts

Posted 17 April 2012 - 08:47 AM

Confirmed! Need infos too...

#3 elecyb

elecyb

    Member

  • Members
  • PipPip
  • 20 posts

Posted 17 April 2012 - 01:26 PM

246 and 785 scans code region and can't be modified without 3rd-party programs.
437 scans .data region that is modified by the client, it can give false positives, ignore this one.
442 and 777 scans memory pages for specified hash, with just a hash you can't determine the propose of this check, some of them are for malware and some others for hacks.

All failed memory checks (type=243) means someone is using hacks, with the exception of 437 that give false positives.
For types 113, 191 and 178 I wouldn't set auto ban since it can be a malware on the client

hope it helps

#4 maestro

maestro

    Advanced Member

  • Members
  • PipPipPip
  • 527 posts

Posted 17 April 2012 - 11:34 PM

437 is parental control, you can ignore that one my logs is floaded with that one.. truly 1 day 40 of them and no other failed checks :P
so in your char database you can set warden_action 437 to 0 > means log only

#5 Aokromes

Aokromes

    Advanced Member

  • Moderators
  • 2,864 posts

Posted 18 April 2012 - 04:44 AM

I wonder how that parental check think can be show on TC since TC don't have support for it.

#6 Ashikaga

Ashikaga

    Advanced Member

  • Members
  • PipPipPip
  • 112 posts

Posted 19 April 2012 - 09:54 AM

What about this ones?

2012-04-10 20:38:36 WARDEN: Player X (guid: X, account: X) failed Warden check 261. Action: None
2012-04-10 20:52:00 WARDEN: Player X (guid: X, account: X) failed Warden check 134. Action: None
2012-04-10 20:56:44 WARDEN: Player X (guid: X, account: X) failed Warden check 88. Action: None

#7 maestro

maestro

    Advanced Member

  • Members
  • PipPipPip
  • 527 posts

Posted 19 April 2012 - 02:05 PM

What about this ones?

2012-04-10 20:38:36 WARDEN: Player X (guid: X, account: X) failed Warden check 261. Action: None
2012-04-10 20:52:00 WARDEN: Player X (guid: X, account: X) failed Warden check 134. Action: None
2012-04-10 20:56:44 WARDEN: Player X (guid: X, account: X) failed Warden check 88. Action: None


they are all type: 191

when you look in the core files of trinitycore and then warden in warden.h
then you see

 MEM_CHECK = 0xF3, // 243: byte moduleNameIndex + uint Offset + byte Len (check to ensure memory isn't modified)
	PAGE_CHECK_A = 0xB2, // 178: uint Seed + byte[20] SHA1 + uint Addr + byte Len (scans all pages for specified hash)
	PAGE_CHECK_B = 0xBF, // 191: uint Seed + byte[20] SHA1 + uint Addr + byte Len (scans only pages starts with MZ+PE headers for specified hash)
	MPQ_CHECK = 0x98, // 152: byte fileNameIndex (check to ensure MPQ file isn't modified)
	LUA_STR_CHECK = 0x8B, // 139: byte luaNameIndex (check to ensure LUA string isn't used)
	DRIVER_CHECK = 0x71, // 113: uint Seed + byte[20] SHA1 + byte driverNameIndex (check to ensure driver isn't loaded)
	TIMING_CHECK = 0x57, // 87: empty (check to ensure GetTickCount() isn't detoured)
	PROC_CHECK = 0x7E, // 126: uint Seed + byte[20] SHA1 + byte moluleNameIndex + byte procNameIndex + uint Offset + byte Len (check to ensure proc isn't detoured)
	MODULE_CHECK = 0xD9, // 217: uint Seed + byte[20] SHA1 (check to ensure module isn't injected)

well type 191 is : PAGE_CHECK_B = 0xBF, // 191: uint Seed + byte[20] SHA1 + uint Addr + byte Len (scans only pages starts with MZ+PE headers for specified hash)

and what that means i have no idea??, maybe its malware or adware thats interfering, if its your account then feel free to try malwarebytes update and do a free scan.

gr.

#8 Ashikaga

Ashikaga

    Advanced Member

  • Members
  • PipPipPip
  • 112 posts

Posted 20 April 2012 - 12:57 PM

thx!

#9 maestro

maestro

    Advanced Member

  • Members
  • PipPipPip
  • 527 posts

Posted 21 April 2012 - 10:39 AM

well Ashikaga what about my question, is it your account and if so did you run malwarebytes.
the reason i ask this is that we ( me and some others ) want to know if some checks are related to maware or adware, so that we can positive say in the check description what it is.
The checks are sniffed from blizz so we dont always know wich check does what..
( in case above is incorrect about the sniff please correct my words :P )

#10 Aokromes

Aokromes

    Advanced Member

  • Moderators
  • 2,864 posts

Posted 21 April 2012 - 11:18 AM

Also, if we get proper list of malware checks we can change the text for those to malware warning instead ban.

#11 RedSonja

RedSonja

    Advanced Member

  • Official Contributors
  • PipPipPip
  • 96 posts

Posted 25 April 2012 - 10:19 PM

So is 209 a bug, i just noticed that one player has a page of that. It is to be ignored or what?

#12 maestro

maestro

    Advanced Member

  • Members
  • PipPipPip
  • 527 posts

Posted 25 April 2012 - 10:54 PM

no no no, 209 is definetly NOT a bug, its 100% wowemuhacker guys, no exception or question about it..

there is check 437 parental control, but i found out that ati tray tool is also triggering that check..

#13 RedSonja

RedSonja

    Advanced Member

  • Official Contributors
  • PipPipPip
  • 96 posts

Posted 26 April 2012 - 04:06 AM

Thank you maestro for letting me know that. Is there a place that shows what these are or what kind of hacks they might be?

#14 maestro

maestro

    Advanced Member

  • Members
  • PipPipPip
  • 527 posts

Posted 26 April 2012 - 09:14 AM

yes in the table itself warden_checks you see at the end a column comment.
sometimes there is a descripion if we know 100% sure what what is, but we still miss alot of them.
so its always good like Aokromes said earlier in this post to have more information about wich hack or malware activates a check.

#15 Hannibal2013

Hannibal2013

    Member

  • Plebs
  • PipPip
  • 13 posts

Posted 18 June 2013 - 06:54 PM

And this....

 

failed Warden check 209. Action: Kick

failed Warden check 437. Action: Kick

failed Warden check 121. Action: Kick







Also tagged with one or more of these keywords: warden