Anti-cheats in Video Games

With the release of Riot Games' newest title 'Valorant' in closed beta, there is a lot of discussion around how the system detects cheaters in its game. The games' anti-cheat system titled 'Vanguard' is a "kernel-mode driver" which acts to identify any malicious processes running alongside the game that may be attempting to hijack the game; either through injection into the game files, manipulation of what the user is able to do, or augmenting what the user sees as potential areas of attack.

Preventing Cheating

Developers of Valorant report that their games uses a "fog-of-war" system to prevent hackers from seeing what they don't need to see. That means outside of their available field of view, the game will not load any information that could be used to cheat. This could be a flag that is associated with a range that is set to 1 whenever players are too far from the potential cheater, hiding that information if they were to use things like wall-hacks.

However, this doesn't mean that aim-botting is negated as that aim-assistance cheaters help to track enemies on the screen and within shooting range, acting to correct a player's aim. External programs can simply register when enemies are on the screen in a fraction of a section and position the mouse onto them instantly.

Moreover, despite the small playerbase in the closed beta operation, there have been cases of hackers already cheating in the game. So in a sense, there is no strict prevention with Vanguard, but rather it acts to prevent cheats from being loaded or injected into the game.

Kernel-Mode Driver?

What seems to be sparking everyone's interest about Vanguard in particular, is Riot's claim that their focus on anti-cheat has made the game more secure than other games on the market, most notably its long-standing competitor, Counter Strike: Global Offensive (or CS:GO for short). With CS:GO's crackdown system called VAC, it is notorious for being extremely unreliable in tracking down cheaters in-game, plagueing the experiences of players all around the World. With such behaviour going on for so long, it's easy to see why Valorant has eyes fixed on it, looking to spot any vulnerabilities in this early stage.

In particular, there seems to be an outcry against how Vanguard does its job, with Kernel-mode driver allowing it to run when the user's computer system boots up - which no other kernel anti-cheat programs seem to do. Having this level of access means that Vanguard essentially does have access to view the computer's memory - which is how the anti-cheat system is able to read and identify any suspicious processes which cause cheating.

https://www.youtube.com/watch?v=_dOCtaBObg4

Ring-0

However, this may be a misconception that has spread quickly across the Internet, in which people are now calling people to avoid the game due to the risk that Riot may be spying on its users, being owned by Chinese Video Game Giant, Tencent.

However, it seems that while Vanguard isn't limited to a single process, other anti-cheats don't seem to be either. Punkbuster (Apex Legends), nProtect and BattleEye to name a few, all run at "Ring-0" and all load the kernel when their games are started up. So it seems like this voice of concern may be unwarranted in that manner. In fact, Vanguard runs from boot in order to scope and prevent any kernel-mode cheats that are loaded in before the game is started up (which would be a huge exploit if it wasn't considered).

What users should be looking out for is whether or not the anti-cheat Vanguard is actively sending and receiving telemetry data to these companies which could be sold off by Tencent. It's hard to take a stance at this position, seeing as the implementation of the anti-cheat is unknown (otherwise it is rendered useless), so users will have to trust that the company has pure intentions and is not doing anything malicious.