Image: Alex Parkin / The Verge Riot Games’ investment into its Vanguard system is paying off.
Multiplayer games on PC were a mess back in 2020. Developers were struggling to respond to blatant cheating as more and more people turned to gaming at home during the covid-19 lockdowns. Call of Duty: Warzone, PUBG, and Destiny 2 were all riddled with people using aimbots to automatically shoot opponents or wallhacks to see everyone on a map.
Riot Games’ Valorant stood out because of its controversial and aggressive anti-cheat system, Vanguard, which had the potential to keep cheaters away. Now, four years later, it’s clear that Vanguard is winning the war against PC cheaters unlike any other anti-cheat system.
“We don’t see as many of the cheats that try to function on the machine and get access,” says Phillip Koskinas, director of anti-cheat on Valorant, in an interview with The Verge. “That has just become too much of a chore for cheat developers.”
Vanguard has made it far more difficult for PC gamers to use things like aimbots or wallhacks. This is partly due to a controversial kernel-level driver that is always running after you boot your PC. Riot’s Nick “Everdox” Peterson developed a system in Vanguard that detects when cheat engines are trying to get access to Valorant. “He came up with a fairly novel way to know that something has been mapped into kernel memory that isn’t supposed to be there,” says Koskinas. “The method is so cute that I can’t explain it because they’ll figure it out too quickly.”
The method sounds like it works similarly to when you crack open a piece of hardware and those little plastic clips fall off to let the device manufacturer know you have voided the warranty. “Once that’s done, we know that something happened and then we just wait to see something occur on Valorant that confirms you’re using it for cheating,” says Koskinas.
That’s led cheaters to move increasingly toward hardware to bypass systems. One of the most popular ways that cheat engines now hook into games involves direct memory access (DMA) with dedicated hardware. “You’re basically using a PCIe card to request reads of physical memory,” explains Koskinas. “They have developed techniques with these cards, the most popular one being Squirrel, to do a lot of traditional memory scanning but totally externally.”
That means a cheater will have a secondary PC that is scanning the memory space of Valorant, looking for player positions. A cheater can use this second PC with a monitor to display a special new radar that lets them know exactly where opponents are. It’s a devastating cheat in a game like Valorant, where players rely on tactics, positioning, and stealthiness to get an advantage.
Image: Riot Games DMA cheating involves dedicated hardware.
Riot has also developed methods to detect this new form of hardware-level DMA cheating thanks to Peterson. His invention essentially blocks reads to internal memory by suspicious devices. I recently ran into an issue with this DMA protection, as Vanguard started blocking my network card every time I loaded into a Valorant game. Riot has a list of hardware and firmware that is trusted, but the network card on my motherboard was using a method that looked suspicious. The issue was rectified within hours, but it showed how powerful Vanguard was that it could knock out my PC connectivity until I rebooted.
Most of the cheats for Valorant these days have been reduced to triggerbots, programs that use screen readers to look at the center of your monitor and then automatically shoot when a player’s crosshair is placed over an enemy. Koskinas says these account for “about 80 percent” of cheats in the game.
The addition of Vanguard to League of Legends earlier this year also dramatically reduced scripters, and the League team revealed in August that it had banned more than 175,000 accounts for cheating since Vanguard was introduced.
That’s encouraging for Valorant and League, but the situation isn’t as bright for other game developers that build their own anti-cheat systems. A recent study from the University of Birmingham revealed that cheats for Activision’s Call of Duty: Warzone remain accessible and affordable, and that Activision’s Ricochet anti-cheat falls short against more sophisticated cheats. Activision even had to fix an anti-cheat hack in Warzone and Modern Warfare III that led to legitimate players getting banned.
“Ricochet has talented individuals on the team, but they clearly do not have enough funding or freedom,” says zebleer, the developer behind Phantom Overlay one of the most popular cheat engines for games like Call of Duty, Overwatch 2, and more. “Call of Duty is overrun with cheaters. They are implementing quick fixes. They are not implementing things they should be implementing likely because Activision won’t let them.”
Zebleer thinks Vanguard is clearly winning against cheaters, thanks to the anti-cheat team having funding, talent, and freedom. Riot has hired engineers that have developed cheat engines in the past, including Koskinas, who developed and sold cheats more than 15 years ago to help fund his academic career.
Unsurprisingly, the researchers at the University of Birmingham agree that Valorant has the best anti-cheat system. It was ranked at the top of the anti-cheat pile, followed by Fortnite, which also uses a kernel-level system. Counter-Strike 2, Battlefield 1, and Team Fortress 2 were ranked at the bottom.
The researchers also highlighted weaknesses in Windows protections that allow cheat software to inject itself into the kernel, just like malware does. After the devastating CrowdStrike incident, Windows kernel access has become a hot topic as Microsoft is increasingly looking at ways to help CrowdStrike and other security vendors operate outside of the Windows kernel.
Riot is looking to Microsoft to help secure Valorant further. “Microsoft got a lot more proactive about revoking the certificates for drivers that were malicious,” says Koskinas. “We kind of chase what Windows is willing to do, so if they start requiring virtualization-based security to be on, or hardware-enforced stack protection, or hypervisor code integrity, we will leverage those features that protect Windows for us and just require them to be on and recede from the kernel space.”
Vanguard will soon only start when the game launches, provided you’re using all of the latest Windows 11 security features, instead of being always-on after boot. That should help with some of the privacy concerns, too.
Riot’s focus for anti-cheat is on Windows right now, and there are no plans for Linux support with Valorant or League of Legends. While the Steam Deck supports some anti-cheats, developers like Riot are increasingly shying away from Linux. “You can freely manipulate the kernel, and there’s no user mode calls to attest that it’s even genuine,” says Koskinas. “You could make a Linux distribution that’s purpose-built for cheating and we’d be smoked.”
Respawn just dropped support in Apex Legends, citing similar concerns to Riot about cheating. Epic Games also refuses to support Fortnite on Steam Deck / Linux due to a lack of users. “Imagine if Steam Deck just has the security handled so we know it’s a genuine device, it’s fully attested, all these features are enabled, we’d be like cool, go game, no problem,” says Koskinas.
While Riot seems to be on top of traditional PC cheating, it may have to contend with AI-powered cheating soon. That could come from dedicated hardware like MSI’s monitor that helps you cheat in League of Legends or screen readers that get increasingly complex. Riot is particularly concerned with image reading. “That is where all cheating is heading,” says Koskinas. “We’ve done a lot of research into what human mouse and keyboard input looks like, but it is a concern.”
One possible future could see AI cheats and AI detection battling against each other in a virtual war. “We’re at a disadvantage, honestly. [AI models] can learn what human input looks like,” says Koskinas. Valorant is winning the war right now, but AI could reset the playing field of this ongoing cat-and-mouse game.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25709845/valorantdma.jpg)
Image: Riot Games