Like a lot of online shooters, Valorant uses anti-cheat technology to help minimize trouble caused by unscrupulous players. It’s called Vanguard, and as described on Riot’s support site, it consists of a client that runs while the game is active, and a kernel mode driver that’s always on. That seems to be making some players nervous: As noted in this Reddit thread, for instance, the kernel has full administrator rights in Windows, and the only way to prevent it from loading is to either rename the file so it can’t be loaded, or uninstall it entirely.
The idea of a program having that level of access, entirely unknown to the user, sounds potentially risky, and there was some confusion at first about whether it was supposed to be loading up automatically at all. Over the weekend, however, Riot’s anti-cheat lead Paul “RiotArkem” Chamberlain confirmed in the Valorant subreddit that it’s intended to be that way, in order to more effectively foil evasion efforts: Cheaters commonly bypass anti-cheat systems by loading their cheat software first, so having the driver always running “makes this significantly more difficult.”
“We’ve tried to be very careful with the security of the driver. We’ve had multiple external security research teams review it for flaws (we don’t want to accidentally decrease the security of the computer like other anti-cheat drivers have done in the past),” Chamberlain explained. “We’re also following a least-privilege approach to the driver where the driver component does as little as possible preferring to let the non-driver component do the majority of work (also the non-driver component doesn’t run unless the game is running).”
The driver does not collect or send any information about your system to Riot, he added, and scans will only run when the game is running. The Riot Vanguard driver can of course be uninstalled from the Add/Remove Programs menu in Windows, but doing so means you won’t be able to play the game.
Riot dove into the details on the kernel driver at leagueoflegends.com—the system being used by Valorant is also headed to LoL at some point. The post is pretty technical, but it breaks down concepts about privilege levels and how cheats work in a clear and accessible manner, and also provides multiple reasons for why gamers, in Riot’s view, don’t need to worry about any of it.
“This isn’t giving us any surveillance capability we didn’t already have. If we cared about grandma’s secret recipe for the perfect Christmas casserole, we’d find no issue in obtaining it strictly from user-mode and then selling it to The Food Network. The purpose of this upgrade is to monitor system state for integrity (so we can trust our data) and to make it harder for cheaters to tamper with our games (so you can’t blame aimbots for personal failure),” the page says.
“This isn’t even news. Several third party anti-cheat systems—like EasyAntiCheat, BattlEye, and Xigncode3—are already utilizing a kernel driver to protect your favorite AAA games. We’re just installing our own sous-chef to the Windows kitchen, so that when we hit em with a ‘where’s the beef,’ we know we’re getting an honest answer.” EAC is used by Fortnite, Apex Legends, and The Division 2. BattleEye is used by Rainbow Six Siege, PUBG, and ARK.
“We think this is an important tool in our fight against cheaters but the important part is that we’re here so that players can have a good experience with Valorant and if our security tools do more harm than good we will remove them (and try something else),” he wrote. “For now we think a run-at-boot time driver is the right choice.”
Riot hasn’t announced any specific numbers yet, but the system appears to be working: Chamberlain said on Twitter just after the Valorant closed beta began that cheat bans were already happening.
Well it sucks, but today we had to ban our first cheater (and it looks like more bans are on the horizon).I was hoping for a little more time before this fight kicked off but we’re in it now and we’re ready.April 9, 2020