-
-
Notifications
You must be signed in to change notification settings - Fork 0
FAQ
MLVScan is a security plugin for MelonLoader that scans mods before they execute, detecting malicious patterns commonly found in malware. It was created in response to malware mods being uploaded to modding sites.
MLVScan:
- Scans all mods before they execute
- Identifies 17+ types of malicious patterns
- Automatically disables suspicious mods
- Generates detailed security reports
- Prevents first-time infections
No. No security tool is perfect. MLVScan:
- ✅ Catches many common malware patterns
- ✅ Uses multi-signal detection to reduce false positives
- ❌ May miss sophisticated malware
- ❌ May flag legitimate mods (false positives)
Always exercise caution and verify with the community.
No. MLVScan uses static analysis via Mono.Cecil to examine the IL (Intermediate Language) code without executing it. This makes it safe to scan suspicious files.
Place MLVScan.dll in your game's Plugins folder:
YourGame/
├── Plugins/
│ └── MLVScan.dll ← Here
├── Mods/
└── MelonLoader/
No. MLVScan works out-of-the-box with sensible defaults. Configuration is optional and stored in MelonPreferences.cfg.
[MLVScan]
WhitelistedHashes = ["3918e145...", "8e6dd194...", ...] # Common safe mods
DisableThreshold = Medium
DumpFullIlReports = falseYes. On first launch, MLVScan scans all installed mods. It re-scans whenever:
- Game launches
- New mods are added
- Configuration changes
- Get the SHA256 hash from the scan report
- Edit
MelonPreferences.cfg - Add hash to
WhitelistedHashesarray - Save and restart game
See Whitelisting Guide for detailed instructions.
Security benefits:
- Tamper detection (any modification changes hash)
- Filename independence (renaming doesn't help malware)
- Authenticity verification (confirms exact same file)
- Collision resistance (can't fake a hash)
Yes. Set WhitelistedHashes = [] in MelonPreferences.cfg. MLVScan will re-initialize defaults on next launch.
- UnityExplorer (Mono & IL2CPP) - Debugging tool
- CustomTV (Mono & IL2CPP) - Custom content loader
These are verified safe but trigger detection rules due to their functionality.
Critical = Highly dangerous activities rarely legitimate in mods:
- Shell command execution
- Data exfiltration
- Persistence mechanisms
- Encrypted assembly loading
Action: DO NOT whitelist without extensive verification.
High = Dangerous behaviors that might be legitimate:
- Process execution
- Reflection usage
- Registry modification
- Obfuscated strings
Action: Investigate carefully before whitelisting.
False positives occur when legitimate code triggers detection rules:
Common causes:
- Debugging tools using reflection
- Asset loaders using Base64
- Network features in multiplayer mods
- DLL imports for advanced features
Solution: Verify with community, then whitelist by hash.
Instead of flagging individual suspicious operations, MLVScan looks for combinations:
Not flagged:
Base64.Decode(someData) // Alone = benign
Flagged:
var command = Base64.Decode(encodedString);
Process.Start(command); // Combined = suspicious
This reduces false positives while maintaining security.
YourGame/UserData/MLVScan/Reports/
├── ModName_timestamp.report.txt # Main report
├── Prompts/ModName.prompt.md # LLM analysis prompt
└── IL/ModName_timestamp.il.txt # Full IL dump (optional)
A file you can copy into ChatGPT/Claude to help analyze whether a mod is malicious or a false positive.
Important: LLMs are NOT perfect at malware detection. Use as supplementary analysis at best.
IL (Intermediate Language) is the low-level code .NET compiles to. Snippets show the actual suspicious operations detected:
IL_0000: ldstr "cmd.exe" # Loads string "cmd.exe"
IL_0005: call Process::Start # Calls Process.Start
Only if:
- You're doing deep security analysis
- Sharing with security researchers
- Contributing to rule improvements
Warning: Generates large files.
Minimal impact. Scanning is fast:
- First scan: ~5-10 seconds (depending on mod count)
- Subsequent scans: Faster (whitelisted mods skipped)
Yes. MLVScan doesn't modify mods, just analyzes them. Compatible with:
- All MelonLoader mods
- Both Mono and IL2CPP games
- Other security/utility plugins
Unlikely. MLVScan runs at minimum priority (loads first) to scan before other plugins.
Yes, but:
- Only scans local mods on your machine
- Doesn't protect against server-side threats
- Doesn't scan other players' mods
- Read the report - Understand what was flagged
- Ask the community - Join Discord
- Verify the source - Ensure it's from official mod page
- Check the hash - Compare with known-good versions
- Whitelist - If verified safe, add hash to whitelist
- Join the GitHub
- Open a new issue
- Include:
- Mod name and source
- SHA256 hash
- Scan report
- Why it's legitimate
Troubleshooting steps:
- Check MelonLoader console for errors
- Ensure MelonLoader is up to date
- Try removing
MelonPreferences.cfg(recreates defaults) - Report issue on GitHub with:
- Game name
- MelonLoader version
- MLVScan version
- Console logs
Yes:
- Rename
MLVScan.dlltoMLVScan.dll.disabled - Or move it out of the Plugins folder
Warning: Only do this if absolutely necessary.
A platform-agnostic NuGet package containing the scanning engine. It enables:
- MelonLoader plugin (MLVScan)
- Developer CLI tool (MLVScan.DevCLI)
- Web scanner (MLVScan.Web)
- Future BepInEx support
See Architecture for details.
Detection rules live in MLVScan.Core repository:
- Create class implementing
IScanRule - Define
DescriptionandSeverity - Implement
IsSuspicious(MethodReference) - Add to
RuleFactory.CreateDefaultRules()
See contributing guide.
Yes! MLVScan.Core is available as a NuGet package:
dotnet add package MLVScan.CoreFor mod developers, you can also use MLVScan.DevCLI to scan your builds:
dotnet tool install --global MLVScan.DevCLI
mlvscan-dev MyMod.dllSee Developer CLI Guide and MLVScan.Core Documentation for integration guide.
Yes. Licensed under GPL-3.0-or-later:
No. MLVScan:
- ❌ Does not phone home
- ❌ Does not collect telemetry
- ❌ Does not upload files
- ❌ Does not track usage
Everything happens locally on your machine.
Potentially, yes. Sophisticated malware could:
- Use advanced obfuscation
- Exploit unknown vulnerabilities
- Delay malicious behavior
- Target MLVScan specifically
Defense: MLVScan is one layer. Also use:
- Trusted mod sources only
- Active antivirus software
- Regular system scans
- Community verification
MLVScan only prevents future infections. If you ran malware before:
- Don't panic - but take it seriously
- Disconnect from internet (if actively infected)
- Run antivirus scan - Malwarebytes recommended
- Check reports - See what the mod did
- Change passwords - From clean device if possible
- Monitor accounts - Watch for suspicious activity
See scan reports for detailed security guidance.
- Detection rules: Added as new threats emerge
- Core engine: Regular improvements
- Bug fixes: As needed
Check Releases for updates.
| Feature | MLVScan | Antivirus |
|---|---|---|
| Pre-execution scanning | ✅ Yes | ❌ Usually post-execution |
| Unity mod specific | ✅ Yes | ❌ No |
| IL analysis | ✅ Yes | |
| Real-time protection | ✅ Continuous | |
| Zero-day detection | ✅ Behavior-based |
Best practice: Use both MLVScan and antivirus.
| Approach | Speed | Accuracy | Skill Required |
|---|---|---|---|
| MLVScan | Instant | Good | None |
| Manual IL review | Slow | Excellent | Expert |
MLVScan is great for quick automated checks. Manual review by experts is more thorough.
-
Modding Discord - Fastest response
- #mod-releases channel (MLVScan thread)
-
GitHub Issues - Bug reports
-
GitHub Discussions - General questions
-
Wiki - Documentation
Non-developers:
- Report false positives
- Share verified safe hashes
- Help answer questions
- Test new releases
Developers:
- Add detection rules
- Improve documentation
- Fix bugs
- Platform integrations
See Contributing Guide.
Created and maintained by Bars (ifBars) with community contributions.
Yes, via DisableThreshold in config:
[MLVScan]
DisableThreshold = Critical # Only disable critical threats
# Options: Low, Medium, High, CriticalYes, but you'll need to:
- Fork MLVScan.Core
- Create custom rule classes
- Build your own version
- Reference in your MLVScan build
For most users, requesting new rules via GitHub is easier.
Yes! You have two options:
MLVScan.Web (github.com/ifBars/MLVScan.Web):
- Browser-based
- No installation
- Same detection engine
- Great for pre-screening mods
MLVScan.DevCLI (github.com/ifBars/MLVScan.DevCLI):
- Command-line tool for developers
- CI/CD integration
- MSBuild support
- Developer-friendly remediation guidance
See Developer CLI Guide for more information.
- Getting Started - Installation guide
- Developer CLI Guide - Development scanning and CI/CD
- Whitelisting - SHA256 hash whitelisting
- Scan Reports - Understanding reports
- Architecture - Technical overview
- MLVScan.Core Wiki - Core engine docs
Ask in the Discord or open a Discussion!