After the launch of the Valorant closed beta, players learned more about how Riot’s self-written anti-cheat called Vanguard works. Fears were immediately raised by the fact that it was using the kernel-mode driver – this is the highest privilege level in the user’s system.
In this case, the driver starts with the OS, although it itself is anti-cheat and starts to work only when Valorant is launched. As Paul Chamberlain, the head of Vanguard development explained earlier, this is necessary in order to detect hacker software that was launched before they even entered the game itself.
At the same time, back in early 2020, when Valorant was not even introduced, Riot warned that some of its future games would be protected by a kernel-mode driver.
Then the company explained that using such a driver does not give it any additional features, and if it wanted to steal information, it could do this in user mode. Moreover, Vanguard is far from the first anti-cheat operating at the kernel level.
After the beta started, Riot tried to reassure the players, but some of them still criticized the company – as a result, the security department and anti-cheat developers wrote an appeal with additional explanations.
If the anti-cheat works in user mode, its capabilities will be compromised by a cheat working in a model with a large number of privileges. For example, some of the most advanced hacker communities use direct memory access (DMA) to redirect it to another computer for processing.
Riot reiterated that Vanguard does not collect any information other than that already taken by the anti-cheat solution in League of Legends.
We do not want to know more about you or your device than is necessary to maintain security in your matches. The data that we collect is used for the game itself and for anti-cheat solutions such as Packman (League of Legends) and Valorant (Vanguard).
Vanguard consists of three components: client, driver, and platform. The client is responsible for detecting cheats when the game is running, and in order to detect them, he needs to receive “reports” about the system from the platform.
The client does not consider the device reliable if it does not recognize the installed driver. In this case, you cannot start Valorant. The driver itself is used to check the status of memory, system and client.
Riot noted that its driver received a digital certificate of advanced verification, which, in turn, was signed by Microsoft.
Riot developers and the security department also announced that they are opening an additional section in the vulnerability search rewards program. It has been working through HackerOne for about six years, and during that time the company gave programmers from around the world nearly two million dollars for their help in finding security problems and fixing them.
Riot offers up to 100 thousand dollars to anyone who provides a practical demonstration and a detailed report on a possible vulnerability using the driver from the Vanguard anti-cheat.
At the same time, Riot assured that if a player gets a ban when trying to find a vulnerability, he can contact the company – the ban will be removed.
Players have every right to doubt us and challenge us, but let us say directly – we would not work here if we did not care about the players’ trust and their safety. And we believe that the rest of the people at Riot feel the same way.
We are the same players as you, and we would also not dare to install a program that we do not trust.
If all this does not suit you, it is normal. It will be a pity to see you leave if you like the game itself, but we respect your decision and hope that you find a game that you consider more acceptable to yourself.
Finally, Riot explained that Vanguard should not affect the performance of other games, and now the company is considering individual cases of this kind to solve the problem.