HandyCafe Docs
owner it-admin

Security and Anti-Cheat

HandyCafe includes an operator anti-cheat and client security system. It has two parts: the Security panel where you monitor detections and manage bans, and the security settings page where you configure what protections run on the client PCs. Use it to harden client processes, detect cheat tools and debuggers, ban devices by hardware fingerprint, and check linked Steam accounts for VAC bans.

Security Panel

The Security panel is organized into three tabs: Tamper Events, HWID Blacklist, and Steam VAC. Click a tab at the top of the panel to switch between them.

Tamper Events

The Tamper Events tab shows a history of anti-cheat detections reported by client PCs. Each row lists the Time, the Computer (friendly name with the MAC address shown underneath), the Event category, the Severity, and a plain-language Description of what was detected.

Use the filter row at the top to narrow the list. You can pick a date (the view defaults to today and refetches when you change it), choose a category, choose a severity (Critical, Warning, or Info), and type in the Search by computer or MAC box. The Refresh button reloads the events. The counter beside the filters shows how many events match the current filters out of the total loaded.

Event categories include Process scan, Window scan, Driver scan, Debugger, Memory editor, Injector, Game cheat, Binary integrity, Code signature, DNS watch, and Time tampering. When there are no detections for the selected date the panel shows No tamper events on this date.

HWID Blacklist

The HWID Blacklist tab lists devices that are banned by hardware fingerprint (HWID hash). The table shows the HWID hash, Sample MAC, Reason, Note, and Time. The counter at the top shows how many bans exist.

To ban a device, click Add HWID Ban. In the dialog enter the MAC (formatted like AA:BB:CC:DD:EE:FF), a required Reason, and an optional Note, then click Add ban. The server resolves the MAC to the device fingerprint and records the ban. Use Cancel to close the dialog without saving.

To lift a ban, use the remove action on the row (Remove ban). The Refresh button reloads the list. When there are no bans the table shows No HWID bans.

Steam VAC

The Steam VAC tab checks linked member Steam accounts for VAC bans using the Steam Web API.

Enter your key in the Steam Web API Key field and click Save. The hint reads: Required for VAC ban lookups. Get one from steamcommunity.com/dev/apikey.

Under VAC Sweep, the Scan now button runs a manual sweep. The sweep checks every linked member's Steam account for VAC bans and runs daily automatically. The Scan now button is disabled until a Steam Web API key is saved. The status text shows the Last sweep time, or Never swept yet if no sweep has run.

Client Security Configuration

The client security settings page controls what protections each client PC applies. It is split into Process Hardening and Tamper Monitor.

Use the Enable client security protection master switch to turn the whole system on or off. When it is disabled the client applies no process hardening and runs no tamper monitor probes. A banner below the switch notes that HandyCafe Client, Server, and Watchdog binaries are always whitelisted and the protections will never flag them. The detailed sections only appear when the master switch is on.

This is a settings sub-page. Changes are committed with the page-level Save button, not a separate button inside the section.

Process Hardening

Process Hardening applies process self-hardening policies at client startup. Each toggle carries a risk badge (LOW RISK, MEDIUM RISK, or HIGH RISK) and a tooltip describing what it does. Available options:

  • Memory protection (DACL): Replaces the own-process DACL so non-admin tokens lose read, write, and thread access. Blocks standard Cheat Engine attach.
  • DEP permanent: Keeps Data Execution Prevention permanent so stack and heap stay non-executable.
  • Prohibit dynamic code (HIGH RISK): Blocks JIT and executable allocations. May break GPU driver shader JIT on some systems and cause screen capture and remote control to fail.
  • AppLocker/WDAC signature policy (MEDIUM RISK): Opts the process into your existing AppLocker or WDAC binary signature rules.
  • DLL load filter (MEDIUM RISK): Blocks remote-image DLL loads, prefers System32, and blocks low-integrity images. May break some vendor overlays.
  • Block AppInit_DLLs / IME: Blocks AppInit_DLLs, IME, and Winsock LSP injection vectors.
  • Strict handle check (HIGH RISK): Raises an error on bad handle use. A handle hygiene bug in any third-party library will crash the process.
  • Linux: block ptrace: Prevents ptrace and debugger attach for non-root users on Linux.
  • macOS: deny debugger attach: Refuses any subsequent debugger attach on macOS.

Tamper Monitor

Tamper Monitor runs background probes that scan for cheat tools, debuggers, and injectors at random intervals. Detections appear in the Tamper Events tab. Available probes:

  • Cheat Engine / memory editor detection: Scans for Cheat Engine, ArtMoney, MHS, ReClass, and similar value-scanner processes.
  • Debugger / RE tool detection (x64dbg, IDA, Ghidra): Detects reverse engineering tools.
  • Code injector detection (Process Hacker, Scylla): Detects code injectors such as Process Hacker, Scylla, and kdmapper.
  • Game cheat brand detection (neverlose, aimware, etc.): Matches known commercial game cheat process names and performs DNS lookups for their domains.
  • Suspicious driver scan: Detects vulnerable driver abuse. Note: RTCore64 is also used by MSI Afterburner, which may cause false positives.
  • Anti-debug probe: Checks common debugger-presence APIs and hardware breakpoints.
  • Executable integrity check (SHA-256): Hashes the own executable each sweep to detect on-disk patching.
  • Signature verification (WinVerifyTrust): Verifies the Authenticode signature. Keep this disabled for unsigned beta builds.
  • DNS query monitoring (cheat domain blacklist): Parses the DNS cache for known cheat vendor domains.
  • Window title scan: Scans window titles to catch cheat processes that rename their binary to evade name-based detection.

Probe Intervals

The Min scan interval (seconds) and Max scan interval (seconds) fields control how often the tamper monitor probes run. The client picks a random interval between these two values for each sweep. The allowed range is 30 to 3600 seconds and the minimum must be less than or equal to the maximum. If the values are invalid the page shows the message: Min interval must be less than or equal to max interval, and the save is blocked until you correct them.