Brazil's biggest MU Online portal — since 2003
Tutorial Advanced Tutoriais

How to Configure Advanced Anticheat on MU Online Server

Learn to configure advanced anticheat protection on your MU Online server with packet filters, SQL validations and real-time monitoring.

VI ViciadosMU Team · Updated on 3 jul 2026 · ⏱ 12 min read

Protecting a private MU Online server against cheating is one of the biggest administration challenges. Speed hacks, packet injection, item duplication, and automated bots destroy the experience for legitimate players. This guide covers configuring multiple layers of protection — from configuration file level to SQL validations — for servers running MuServer Season 6.

Why a Single Protection Layer Is Not Enough

Single-layer anticheat solutions are easily bypassed. The effective approach combines:

  • GameServer-side validation (packet filters, position checks)
  • Client integrity verification (file hashing at the ConnectServer)
  • SQL-based detection (anomalous transaction auditing in the database)
  • Real-time log monitoring (automated alerts)

Each layer covers gaps left by the others. Configure all of them before opening the server to the public.


Step 1 — Configure Packet Filters on the GameServer

The GameServer processes every packet sent by clients. Enabling the packet filter automatically rejects malformed or out-of-sequence packets.

File: GameServer/Data/Config/GameServerInfo.ini

; Packet filter — 0 = disabled, 1 = basic, 2 = advanced
PacketFilterLevel=2

; Reject packets with invalid size
PacketSizeCheck=1

; Maximum packets per second per connection (recommended: 150–300)
PacketRateLimit=200

; Block IPs after X consecutive invalid packets
PacketInvalidLimit=10

; Temporary ban duration in seconds
PacketBanTime=300
Atenção: PacketRateLimit values below 150 may cause legitimate disconnections during high-population events. Test in a staging environment before applying to production.

Restart the GameServer after editing. Check GameServer/Log/PacketFilter.log to confirm the filter is active.


Step 2 — Enable Client Integrity Verification

The ConnectServer can verify the hash of core client files before authorizing a connection. This prevents modified clients from connecting.

File: ConnectServer/Data/CSConfig.ini

; Enable client hash verification
ClientHashCheck=1
HashMethod=SHA256

; List of verified files (comma-separated)
HashFileList=main.exe,data\Monster.bmd,data\Item.bmd,data\Skill.bmd

; Path to the expected hash list file
HashListFile=ConnectServer/Data/ClientHashList.txt

Generate the hash file using PowerShell on the server:

Get-FileHash "C:\MuClient\main.exe" -Algorithm SHA256 | Select-Object Hash
Get-FileHash "C:\MuClient\data\Monster.bmd" -Algorithm SHA256 | Select-Object Hash

Format of ClientHashList.txt:

main.exe=A3F2C1D4E5B6...full_sha256_hash...
data\Monster.bmd=7B8C9D0E1F2A...full_sha256_hash...
data\Item.bmd=4D5E6F7A8B9C...full_sha256_hash...
data\Skill.bmd=1E2F3A4B5C6D...full_sha256_hash...
Nota: Update ClientHashList.txt every time you release a client patch. Stale hashes will lock out all players on the next update.

Step 3 — Configure Anti Speed Hack Protection

Edit the skill delay file to set minimum time limits between actions:

File: GameServer/Data/Config/SkillDelay.ini

; Minimum delay between attacks per class (in milliseconds)
[SkillDelay]
DarkKnight=400
DarkWizard=450
FairyElf=350
MagicGladiator=420
DarkLord=400
Summoner=460
RageFighter=380

; Minimum movement delay (below this = speed hack)
MovementDelayMin=100

; Enable speed hack detection log
SpeedHackLog=1
SpeedHackLogFile=GameServer/Log/SpeedHackDetect.log

Enable position logging in GameServerInfo.ini:

MoveLogSave=1
MoveLogFile=GameServer/Log/MoveLog.txt
Dica: Review SpeedHackDetect.log daily during the first weeks after setup. Players with high-latency connections may trigger false positives — raise MovementDelayMin if needed.

Step 4 — SQL Validations to Detect Item Duplication

Create a view in SQL Server to monitor anomalous transactions across warehouses and inventories:

USE MuOnline
GO

-- View to detect duplicated items (same serial in multiple inventories)
CREATE OR ALTER VIEW V_ItemDuplicateDetect AS
SELECT
    i.Serial,
    COUNT(*) AS TotalOccurrences,
    STRING_AGG(i.AccountID + '/' + i.CharacterName, ', ') AS Owners,
    i.ItemIndex,
    i.ItemLevel
FROM (
    SELECT Serial, AccountID, CharacterName, ItemIndex, ItemLevel
    FROM InventoryItems
    UNION ALL
    SELECT Serial, AccountID, CharacterName, ItemIndex, ItemLevel
    FROM WarehouseItems
    UNION ALL
    SELECT Serial, AccountID, CharacterName, ItemIndex, ItemLevel
    FROM PersonalShopItems
) i
GROUP BY i.Serial, i.ItemIndex, i.ItemLevel
HAVING COUNT(*) > 1;
GO

-- Audit query — run daily
SELECT * FROM V_ItemDuplicateDetect
ORDER BY TotalOccurrences DESC;

To detect abnormal Zen accumulation (possible duplication exploit):

SELECT
    AccountID,
    CharacterName,
    Money,
    GETDATE() AS CheckedAt
FROM Character
WHERE Money > 2000000000  -- 2 billion zen
ORDER BY Money DESC;
Atenção: Never delete suspicious items directly. First move them to a quarantine table: INSERT INTO ItemQuarantine SELECT * FROM InventoryItems WHERE Serial = 'xxx' before any removal.

Step 5 — Create an Automated Audit Stored Procedure

USE MuOnline
GO

CREATE OR ALTER PROCEDURE SP_AuditSuspiciousActivity
AS
BEGIN
    SET NOCOUNT ON;

    -- Log accounts with multiple simultaneous logins from the same IP
    INSERT INTO AuditLog (Type, Description, DateTime)
    SELECT
        'MultiLogin',
        'IP: ' + IP + ' | Accounts: ' + STRING_AGG(AccountID, ', '),
        GETDATE()
    FROM ConnectLog
    WHERE DateTime >= DATEADD(MINUTE, -5, GETDATE())
    GROUP BY IP
    HAVING COUNT(DISTINCT AccountID) > 3;

    -- Log item drops with abnormally high value in a short period
    INSERT INTO AuditLog (Type, Description, DateTime)
    SELECT
        'AnomalousItemDrop',
        'Char: ' + CharacterName + ' | Drops: ' + CAST(TotalDrops AS VARCHAR),
        GETDATE()
    FROM (
        SELECT CharacterName, COUNT(*) AS TotalDrops
        FROM ItemDropLog
        WHERE DateTime >= DATEADD(MINUTE, -10, GETDATE())
        GROUP BY CharacterName
        HAVING COUNT(*) > 50
    ) t;
END;
GO

-- Schedule the procedure via SQL Server Agent (every 5 minutes)
-- In SQL Server Agent > New Job > Step, run:
EXEC SP_AuditSuspiciousActivity;

Step 6 — Configure Automatic Banning Rules

File: GameServer/Data/Config/AutoBan.ini

[AutoBan]
; Enable automatic ban system
Enabled=1

; Temporary ban in minutes for confirmed speed hack
SpeedHackBanMinutes=1440

; Permanent ban after X temporary bans
PermanentBanAfterCount=3

; Notify GM via special channel when a ban is applied
NotifyGM=1
GMNotifyChannel=1

Step 7 — Monitoring with an Alert Script

Create C:\MuServer\Scripts\monitor_anticheat.bat for periodic alerts:

@echo off
:: Check speed hack log size and alert if it grows too large
set LOG_FILE=C:\MuServer\GameServer\Log\SpeedHackDetect.log
set MAX_LINES=100

for /f %%A in ('type "%LOG_FILE%" ^| find /c /v ""') do set LINE_COUNT=%%A

if %LINE_COUNT% GTR %MAX_LINES% (
    echo [%date% %time%] ALERT: SpeedHackDetect.log has %LINE_COUNT% lines >> C:\MuServer\Scripts\anticheat_alerts.log
    :: Add Discord Webhook or email integration here
)

Schedule this script in Windows Task Scheduler to run every 15 minutes.

Dica: For Discord integration, replace the echo line with a curl command posting to your webhook: curl -H "Content-Type: application/json" -d "{\"content\":\"Anticheat alert triggered!\"}" https://discord.com/api/webhooks/YOUR_WEBHOOK

Troubleshooting

GameServer does not start after setting PacketFilterLevel=2: Verify that your GameServer build supports this level. Older builds (S6 EP1) only support level 1. Check GameServer/Log/GS_Error.log for the exact error message.

Legitimate players are being banned for speed hack: Increase MovementDelayMin by 20ms at a time until false positives stop. Latencies above 200ms can cause incorrect detections.

The V_ItemDuplicateDetect view returns a compatibility error: STRING_AGG requires SQL Server 2017 or later. For older versions, replace it with STUFF((SELECT ...), 1, 2, '') using FOR XML PATH.

ConnectServer rejecting all clients after enabling HashCheck: Confirm that ClientHashList.txt uses UTF-8 encoding without BOM, and that hashes were generated from the exact client build distributed to players.


Final Security Checklist

Before considering the configuration complete, verify each item:

  • PacketFilterLevel=2 active and tested in GameServerInfo.ini
  • ClientHashCheck=1 with correct SHA256 hashes on the ConnectServer
  • Skill delays configured per class in SkillDelay.ini
  • V_ItemDuplicateDetect view created and returning empty results
  • SP_AuditSuspiciousActivity scheduled in SQL Server Agent
  • Monitoring script scheduled in Windows Task Scheduler
  • AutoBan.ini configured with appropriate limits for your server
  • Logs rotated weekly to prevent excessive growth

Server security is an ongoing process. Review logs weekly, update client hashes with every patch, and adjust limits based on observed player behavior.

Perguntas frequentes

The GS crashes when enabling the packet filter — what should I do?

Check whether your GameServer build supports PacketFilter. Open GameServer/Data/Config/GameServerInfo.ini and confirm the PacketFilterLevel line exists. On S6 Episode 3 builds, the maximum supported value is 2.

How do I tell if a player is using a speed hack?

Enable movement logging in GameServer/Log/MoveLog.txt by setting MoveLogSave=1 in GameServerInfo.ini. Speeds above 800 units/tick indicate speed hack. You can also query the V_SpeedHackDetect view in your database if you have a SQL logging system active.

The anticheat is blocking legitimate skills — how do I adjust it?

Tune the SkillDelayMin parameter in GameServer/Data/Config/SkillDelay.ini. For classes like BK, the recommended value is 400ms; for Elf, 350ms. Reduce gradually until false positives stop.

Should I use MD5 or SHA256 for client file verification?

SHA256 is strongly preferred. Set HashMethod=SHA256 in ConnectServer/Data/CSConfig.ini. MD5 is still supported on legacy builds (S2–S4) but is vulnerable to collisions and should not be used on modern servers.

VI

ViciadosMU Team

Equipe editorial do ViciadosMU — portal de MU Online no ar desde 2003.

Keep reading

Related articles