How to disable the File Upload/Download exploit

It’s really simple.

Go to,

steam/steamapps/<your profile>/garrysmod/bin

Overwrite the engine.dll from your garrysmod/bin folder on your orangebox/bin folder on your server.

Go to your server.cfg on your server and edit your server.cfg so it has the following commands in it.

sv_allowdownload 0
sv_allowupload 0

Holy fucking shit, that was so hard. You did it!

If you cannot manage to find the correct engine.dll, I have uploaded it on my site. Remember that all of Valve’s engine.dlls are the same filesize, you need to check the digital signature on through Right Click>Properties and make sure it was built in September or later.

Now, if you still want to have server downloads (maps, materials, dua, models, sounds) you need to setup a sv_downloadurl.
If you run a popular server there is not a reason for not doing this other than laziness or ignorance.

Here is some documentation on sv_downloadurl, I am not helping you with this.

You do not need sv_allowdownload or sv_allowupload set as 1 to use a downloadurl, if any tutorials say to do this IGNORE IT.

Here are some webhosts I recommend from some experience with them. (They have some odd rules and policies though, they offer free hosting) (Some people hate it, some people like it)

I’m Teddi and I approve of this method. (Because unlike D-FENS, this actually works)

Thanks sadistic, this’ll help keep the DarkRP servers up and running 24/7 now.

You need to post source to the engine.dll if u not want to get banned by garry, or worse

That explains for the nubs how to avoid getting haxed lol :smiley:

It’s your choice if you download it or not, I really don’t care.

It’s the dll I am using on my servers, it works for me.

Agree’d, this works.

It’s the same as the engine.dll from a clients copy of Gmod.

I’d like to remind that if your server had been exploited, don’t forget to check all the autorun scripts for malicious codes. There still might be one or two codes uploaded deep into addons or lua folders. Even if you fix and disable upload exploit, they can execute commands on your server, if there are any uploaded lua’s left.

These are the common folders which exploiters upload their lua (In my case, all the uploaded luas were in these folders. I found 18 malicious lua files after I brought down my servers):


  • Xev

well done Teddi,
now i can start The Great Forge’s GMod Server again.

  • Robin

A man named wizard of shiron or something like that came into my server, made him self admin, then godded himself and told me about this thread, to ‘fix the exploit he was using’. I didnt ban him though, he just sat there and did things like any other non admin player did. Then i saw ‘Console: see you my minions. I have to illuminate more servers.’ Hah, well done bud, and thanks for the help.


If only the people who originally attacked my servers were like that :confused:

Someone told me this after the craze hit. I decided to try it out to download someone server.cfg to see how it worked. All I got was “Sorry, your server.cfg is not here, try another castle” I couldn’t help but to laugh :3:

It seems to be causing extreme lag spikes, not sure if it’s the engine.dll though. Might also be some files that some exploiter has uploaded, which are causing this.

Wait, so this stops you from having other people download files from your server, or from you downloading things from servers you join?

Does lua files still get downloaded by this setting sv_allowdownload to 0?

Thanks, idiots (and I know who) have been raiding my server lately.

I’m just curious, but what danger is there in allowing downloads, but just not uploads? As opposed to blocking both, and hosting the downloads elsewhere?

People can download your server.cfg and find out your rcon password. And no, hiding it in other cfgs won’t help, because those will have to be executed somewhere and those can be downloaded too.

Or just do rcon_password “”

Okay there really is no reason to even be asking questions like “what if I just keep sv_allowdownload on and upload 0…” Buy a downloadurl. There cheap and I can guarantee you well get more players because they don’t have to take a year to download files.

Or use a server host that automatically does all the work to make sv_downloadurl do it’s thing. (xenonservers) .


Dave, that would mean not being able to USE rcon, which is retarded.