Keiko Megane
Keiko Megane is a heuristic-based* runtime protection mechanism that detects suspicious behavior of plugins while your server is running. It is able to recognize a variety of threats, and sometimes even remediate the damage they have done.
*At the moment, Keiko does not run any program simulation. Its heuristics work on the fly. This means that Keiko Megane cannot stop malware from running. But it can notify you about its detection, and it can sometimes recover your server from the threat by "reverting" the suspected operations.
眼鏡 [megane] is the Japanese word for "glasses". The name illustrates the fact this module of Keiko works: observing and deeply inspecting the behavior of plugins in background, without directly interrupting their workflow or slowing down your server (unlike DAC).
Keiko Megane has its own configuration section inside runtimeprotect.yml.
At the moment, Keiko Megane only displays its notifications in your server console. It is planned to implement Discord- and/or E-Mail-based notifications in the near future as well.
You can exclude particular plugins or code sources from being analyzed by Keiko Megane at run-time. Use each heuristic's exclusions list for that. The syntax duplicates the syntax of static inspections exclusions.
| Analysis name | Description | Threat remediation | Remediation details |
|---|---|---|---|
Heur.ForceOp |
Triggers when plugins give a player the server operator (OP) status immediately after they join the server, send a chat message, or use a Minecraft chat command (either by utilizing the Bukkit API or by dispatching the "/op" Minecraft command). | ✔ | Keiko can remove the server operator (OP) status (de-op the player) when this heuristic triggers. |
Heur.BookBackdoor |
Triggers when a player signs a book with title "cmd" in game. Under certain conditions, this book may be used to obtain a full access of your server. | ❌ | — |