Incoming: Vanguard On-Demand

How You Can Win Games and Reclaim Taskbar Space

Warning: This article contains a thick, 15-page stew of technical details and deep anti-cheat arcana for which there is no known antidote. Reading is not compulsory, but by continuing, you give unbreakable consent to the egregious usage of technical acronyms, bar charts, and colloquialisms, many of which are only debatably existent and several that are known by the state of New Hampshire to cause audible blinking. If that’s not your bag and you just want to enable On-Demand mode,​ player support has you covered.

Howdy Partners,

Welcome back to another sesquiennial episode of “Anti-Cheat Tomorrow, Tonight.” Your humble host this evening will be none other than Phillip “mirageofpenguins” Koskinas (literally me), a vaguely human-shaped amalgamation of database and bone that has been stubbornly brewing Riot’s Anti-Cheat elixirs since before the dawn of ban, and I’m here today to talk about a few of the updates coming soon to a taskbar near you. 

Contained within this article will be technical details on Vanguard’s upcoming on-demand mode, historical background on why it’s finally possible, and statistical analysis on the migratory patterns of cheaters, who are now coping with the realization that they might have to aim manually. In a direct subversion of our usual anti-cheat documentary format, we’re going to just cut right into the meat of this turkey, but if you stick around after a few words from our sponsors, you’ll be treated to the usual hard-hitting, 280-minute runtime, comprised primarily of monologue, flashbacks, and beat poetry. 

Let’s dance.
 

Vanguard Pre-Check 

Starting later today, the universally beloved anti-cheat product, Vanguard, will begin to support on-demand sessions from all sufficiently secured PC devices. “On-demand” here means that Vanguard’s driver component will no longer launch when the system starts, but “secured” indicates that this will be possible only if that system’s hardware has met a set of modern security requirements. By opting into pre-boot security mechanisms and Windows’ own native protection features, Vanguard can safely end its watch, and your taskbar can have 256 of its pixels back.

This set of security requirements is known as “Vanguard Pre-Check,” a name we most  certainly did not pick solely for the opportunity to make passenger airline jokes, and the features themselves are designed by members of the PC industry to do natively some of the things that Vanguard only does recreationally. So, once all the settings have been correctly enabled, Vanguard has less surface to cover, and because cheaters would sooner voluntarily install ransomware than secure their own operating system, we can use the energy spared to refocus the cheat beam on the most deserving cohort.

What Do I Need to Do?

Nothing. This is all 100% optional, and you only need to do anything if you’d like to enable on-demand mode, which will allow Vanguard to launch when the game does and remain running only while you’re playing a Riot title. If you would instead prefer that Vanguard continue its omnipresence, you can safely choose inaction, and we also can get matching Vanguard neck tattoos when your schedule next opens up. However, assuming this is not the case, and you would prefer a more tailored anti-cheat experience, you can break my heart by following the steps below.

For starters, if your machine is relatively new, you’re probably in a “secured core” state, and if so, you’d be among the 35% of players that already satisfy Vanguard’s Pre-Check requirements. The button to switch Vanguard into on-demand mode will appear with your very next update, and as cool as you definitely thought the icon was, you will no longer have to see it in your system tray, unless you’re actively playing a Riot title. 

But if you’re in the remaining 65% of players, allow me to direct your attention to our new Vanguard boarding process, designed to identify the security settings required for Pre-Check and guide each passenger tenderly through finding their seat and fastening the seatbelt. 
 

Now, I know what you’re thinking: You didn’t order the alphabet soup, and frankly, Vanguard handles more like a steakhouse than a bistro. But unfortunately, this sinful glut of acronyms has somehow become the industry standard, so thankfully, clicking any one of them in Vanguard’s tray application will route to its corresponding support article, which includes links to manufacturer documentation on how to enable it. Each of these security features improves the operating system’s ability to defend itself, so if they’re all on and functional, Vanguard doesn’t have to sit around to monitor system integrity anymore. 

That said, most of them are UEFI settings that Vanguard physically cannot change, and they have to be enabled manually by the user. As a point of order, “UEFI” stands for Unified Extensible Firmware Interface, the architecture that technically replaced legacy “BIOS” (Basic Input/Output System) over a decade ago. Don’t worry, you can still safely use these two interchangeably in most circles, and if anyone pedantically corrects you, you can also safely stop being their friend. However, the reason I bring this up now, is because some systems will need BIOS changes in order to pass Vanguard Pre-Check, which as a reminder, is still totally optional.

Navigating BIOS can be kinda tricky, ranging anywhere from intimidating to incomprehensible, with menus, submenus, and even the letters themselves varying wildly between vendors. As such, it’s very easy to make mistakes, so do not attempt any changes without first consulting your vendor’s documentation. Your motherboard’s manufacturer will always be the best pharmacy, but the links to our generic prescriptions below can help get you started. If you’re particularly interested in the technology behind hardware-backed security, just keep on reading, because we’re gonna get real deep into what all these vowels actually mean, later in this very publication. 

• Update to at least Windows 11 25H2. Windows 11 first requires the following:

  • Enable UEFI Mode and Secure Boot

  • Enable Trusted Platform Module 2.0 (TPM)

  • An updated BIOS may be necessary

• Use Virtualization-Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI)

• Enable Input-Output Memory Management Unit (IOMMU)

Most new machines today are already tested and shipped with these settings enabled by default, so this Vanguard update is only an optional incentive for those that wish to take advantage of it right now. If that isn’t something you want to do, don’t sweat it. We are happy to adapt our anti-cheat’s strategy to the baseline security of the environment it's defending, and we are even happier to offer an on-demand option to those that would prefer to let Windows do the defending itself. The power is yours, because just in-case I hadn’t mentioned this yet, Vanguard Pre-Check is not mandatory, it is optional.

But why is On-Demand (Optional) only possible now? That is an excellent question that I’m so glad someone typed into the article that I’m typing, and to understand why, we have to understand cheaters themselves. Smashcut.

INTERIOR. MOM’S HOUSE (BASEMENT) - NIGHT

In competitive games, there are really only three paths available for ranking up: you can be good, you can get good, or you can cheat. Now, while I’m sure that first one has definitely happened to someone who is not me, I have not personally experienced it, so for simplicity’s sake, let’s say there are two paths available. One of them requires sweat, practice, and recognition of growth opportunities, but the other requires only mom’s Amex and a basement from which to utilize it.

Obviously, being that the former is more interesting as a sport and more economically viable as a form of entertainment, it probably wouldn’t surprise any curious reader to find that the hit indie game studio, Riot Games, long-ago elected to officially support only “Getting Good” as the competitive mechanism found in every single one of our titles. Because if a game is just a set of rules that its players choose to abide by, then it couldn’t possibly be considered a display of cunning to simply not abide by them.
 

So, to protect the hard work of all the players that were willing to get good, it was necessary that Riot match their investment of time with an over-investment in anti-cheat technology (emphasis on over). That technology has changed substantially through the years, and in order to calculate where the anti-cheat is going, we first have to know where it isn’t.

Cheat History 4000 Level

Almost two decades ago, it was relatively easy for cheaters to simply patch the memory of a running game client and see it straight up rebroadcast any of those modifications directly to the server, amusingly then becoming an unmitigated spectacle for any other connected player. Thankfully though, the categorically surgical efforts of game engine architects and the sorta anxious, well-meaning energy of anti-cheat developers, have for the most part, since made “user-mode” methods of cheating obsolete, and almost all games today come pre-built with defenses hardened to the cheats of old. For example:

• To slow the speed at which cheat developers can disassemble, understand, and instrument each game client, many competitive titles also make use of client-sided obfuscation to hinder attackers from too easily deciphering their routines. 
   

• Studios now utilize game engines with authoritative, fully-simulated servers that absolutely reject “nonsense” data from their connected clients, meaning you’d rarely see “exploits” like godmodes, infinite ammo, teleporting, or say, turning into a horse, because the server should never “believe” these requests to be physically possible, unless the game you're playing is Pretty Derby, in which case, the only true exploit would be successfully explaining it to my dad. 
   

• Most multiplayer games also have detections for third party tools that might try to tamper with the running process, looking for local anomalies, like libraries in their application that shouldn’t be there or modifications to assets on disk that would break the game.

Fortunately, these defaults are no less true for Riot, and we would consider ourselves fairly well-defended against under-sophisticated “internal” cheating methods, which are used today only by those that are addicted to bans. So for the last 5 years, the fast-favorite methods for a competitive edge in our competitive games have been “kernel-level” cheating, Direct Memory Access abuse (DMA), and computer vision cheats (pixelbots). 
 

Today, cheaters infect about 0.7% of all PC ranked matches across both LoL or VALORANT, and the above image of what appears to be overcooked lasagna, is actually a stacked percentage area graph of these games, broken down by the vector the cheater was utilizing at the time of their inevitable ban. Every ranked game infected is considered in the numerator for that cheat class, and it’s broken down as a percentage of all infected matches that week. Think of it as a pie chart moving through the medium that you perceive as time, and 30% of that pie would be 30% of all games played with a cheater.

• “Tampering” indicates that the account was detected in possession of a corrupted anti-cheat session, so corrupted in-fact, that we hadn’t a glimmer of hope in classifying the abuse as any particular type of cheating other than “banned.” Most often, this is triggered by cheaters trying to bypass their hardware suspensions (“hardware”) or play without meeting Vanguard’s security requirements (“bypass”). Neither are doctor-recommended.
   

• “DMA” refers to a type of cheating that utilizes purpose-built hardware to physically scan device memory, usually for wallhacking. It is not super valuable on LoL, because there is limited extra information available to the game client. We’ll actually get more into this type of cheating if you’re brave enough to keep reading.
   

• A “pixelbot” is a computer vision cheat that injects player input for the purposes of aiming at heads or casting spells with perfect timing. Coming in “external” (hardware microcontroller) and “internal” (python script) varieties, pixelbots can be extremely impactful in VALORANT due to the low time-to-kill, sometimes just simply pulling the trigger for the cheater when an enemy enters their reticle (also known as a “triggerbot”). 
   

• “Pre-OS” cheaters exploit firmware vulnerabilities to get their cheats into Windows before it fully loads (bootkits). They enjoy greater popularity on League, because unlike VALORANT, LoL does not require SecureBoot for Windows 11 players. But you would be correct to conclude that this is a contributing factor as to why SecureBoot is a universal requirement for Vanguard Pre-Check.
   

• “Behavioral” is our server-sided cheat detection for VALORANT, which mostly just instantaneously deletes the accounts of ragehackers, so that they may take their tantrums offline for a 1 on 1 with their parents. Because it exclusively utilizes in-game performance data, it’s not always possible to classify the infected matches as any particular type of cheat, and for this reason, “behavioral” appears separately.
   

• And the remainder are traditional, god-forsaken “cheats,” here rendered in a deeply insecure yellow and a morally bankrupt gold. Yellow represents an “internal” cheat, or one that makes use of a legitimate-looking library to manipulate game memory, and gold indicates a “kernel” cheat, or one that leverages a kernel vulnerability to have their unsigned code run at the operating system’s level.

As one could hopefully taste from this rainbow, internal cheats haven’t really managed to demonstrate market viability in a few dozen financial quarters, and 9 out of 9 analysts currently recommend the underlying asset as a strong sell. Developers providing cheats that simply load a library into the game client would find it either outright prevented under Vanguard or quickly detected, resulting in few returning customers and ultimately less than ~10% of the overall infected matches on Riot’s PC titles. 

Because DMA and pixelbots both typically require extra hardware, kernel-level cheating continues to be the most popular way to pluck the cheat goose. 

Kernel Level Cheating

At its core, Kernel-mode cheating leverages any one of several vulnerabilities to load some or all of a cheat’s components into the operating system directly. By getting their code into the kernel and placing hooks on its functions for memory management, cheaters can bypass process protections and successfully masquerade as “clean” to any application in user-mode, including any non-kernel anti-cheat. After all, if Windows itself is the cheat, how would you know as but a humble process under it? 
 

The regrettable answer is that you can’t, and while Windows might not make it easy, cheaters are more than willing to disable every single one of its security features (the same features we now require for Vanguard Pre-Check), and hop directly onto some guy’s botnet solely for the ability to see through walls. A cheat driver intercepts any request a user-mode anti-cheat may make to the kernel, completely blinding it, and this is why most competitive games also install a driver anti-cheat component—they’re trying to level the playing field. 

For the record, I know that was an em dash, but don’t panic. You can actually use up to 3 of them per day before your consciousness is converted into training data.

So What Kernel Vulnerabilities do Cheaters Use?

That is a great question that inspires further questions. The first of which being, are you a cop?

But assuming this is not a sting operation and is in-fact, still an anti-cheat article, we will proceed purely for research purposes. The following will be a glance at some of the ways an aspiring cheat developer might break into the Windows kernel with the intention of beating an anti-cheat. It will go from coughing baby to congested toddler in difficulty, and here you’ll notice I explicitly did not use the word “hard.” This is because it’s not actually all that difficult to do, so there’s never really any need to be impressed when a cheater does it.

1. Buy (or Steal) an EV Certificate

For starters, a cheat developer could just shell out the cash (~$600 a year plus shipping) to buy an Extended Validation code signing certificate from a trusted authority. Once they have it, they can sign their own cheat driver and load it right up, no questions asked. But there are two glaring problems with this Hindenburg of product strategies.

• The first is that trusted authorities require identity verification, including address validation and articles of incorporation for your business. Cheaters naturally don’t want any of that to be public record, so they usually must steal the identity of an unsuspecting relative.
   

• And secondly, it’s about as undetectable as a running microwave under a gauss meter. The cert will be exposed to any anti-cheat product downstream, beaming any customers instantly and forcing the cheater to find another unsuspecting relative and another $600.

It probably doesn’t need to be said that this is our favorite form of bypassing kernel protections, primarily because it bypasses nothing. Please picture their tears as a ripened cherry, and me as a banana split with everything but.

2. Bring Your Own Vulnerable Driver (BYOVD)

All modern versions of Windows generally require DSE (Driver Signature Enforcement) to be enabled for any of their own drivers, and that means you can’t load critical components of the OS without it. But if DSE is enabled, you can’t run unsigned drivers. That’s a real kick in the pants, so cheaters have gotten into the fascinating hobby of leveraging exploits within the properly signed device drivers of inattentive or inactive peripheral vendors to get their code into the kernel. 

When exploits like this are discovered, it’s often the case that the vendor will just revoke the certificate and issue an update, but if you’ve got a favorite backlit keyboard from a now-defunct manufacturer, it’s very unlikely that they’d ever manage to resurrect themselves long enough to build and sign a new version, meaning you’d have to give up the device entirely if the driver’s certificate was revoked. Thus, there are literally hundreds of them at the disposal of cheaters, many of which Microsoft can’t absolutely block without substantial customer impact.

3. Direct Memory Access

DMA cheaters use a slotted piece of PCIE hardware to access physical memory over the CPU directly (Direct Memory Access). It doesn’t technically “break” kernel space, and DMA is not so much an “exploit” as it is “archaic functionality that no one has been particularly jazzed about since printer paper was perforated.” But by buying a purpose-built DMA card, a cheater can exfiltrate entire pages of physical memory to a second PC, scanning those pages for “fun” little easter eggs, like the entire enemy team’s current positions. If the game they’re doing it on is a fast-paced tactical shooter, where the server-sided Fog of War cannot be 100% opaque, cheaters can use this revolting technique to gain a substantial information advantage.

Cheating with DMA has been around for a long time, and while it’s easy to straight up disable the cards, there are some legitimate use cases for them, like printers, sound cards, and wifi adapters, creating a cute little surface for cheaters to exploit. As the arms race has evolved, the hardware necessary for DMA has evolved also, and it’s now become one of the world’s most expensive hobbies.

4. The Lazy Cheater’s Bootkit

What if, hypothetically speaking, a cheater was also willing to grant completely unrestricted access of their system to a cheat developer and then categorically expose themselves to any subsequent malware seeking to do the same? Well great news, they have a product for that. First, an aspiring cheater has the daunting task of copying someone else’s bootkit onto a thumbdrive and selecting that as the bootable ESP (EFI System Partition), and you’d be correct to assume this doesn’t always go according to plan.
 

But if they succeed, this malware then hijacks the bootloader on system start to load into a modified version of the Windows Boot Manager. Remember, Windows can’t be in system memory when the PC is off—it’s just sitting on disk. So, as ntoskrnl.exe is being pulled into RAM, the bootkit intercepts it, patching all the fun stuff that Windows uses to protect itself, and of course, anything else the cheat developer felt like. For example, it might disable PatchGuard and DSE, allowing unsigned cheat drivers to load, or it might also paste in a time bomb of ransomware for a gas. Who knows? You don’t. But now you’re cheatin’ with portals.

5. Hypervisin’ with a Hypervisor

A hypervisor middlemans an operating system and the device it's running on, essentially becoming a broker of sorts for all physical requests to the underlying hardware. The OS, or even multiple instances of OSes (say it, I command you), become virtual machines (VMs or “guests”), and the hypervisor allocates CPU, GPU, or RAM resources to them as it sees fit. The problem here is that a middleman sitting between hardware and a guest operating system is also a divine way to modify its memory from the “outside,” invisible to the anti-cheat on the “inside.” So, by putting the whole of the operating system in a VM, cheat developers can play God, and their customers can play pretend that they’re good at the game. 

Luckily, it’s extremely difficult to load in Hyper-V without it being apparent to the anti-cheat that it’s running in Hyper-V.

6. The Forbidden, Ultimate Hack

Alternatively, you could download and run kernel.exe to receive kernel access. 

So anyways, Riot was forced to get a little creative on methods that could defend Windows from cheaters that were too keen on breaking it, and you might know this creativity by its more formidable name: "Vanguard."

Enter Sandvan

Vanguard is Riot’s answer to the kernel-cheating cultural phenomenon. We definitely weren’t the first studio to use an anti-cheat driver, but by building one ourselves, we gained two distinct advantages. The first is that we could leverage the driver to restrict user-mode access to the game client, turning it into a protected process and immediately jettisoning one entire subclass of cheat directly into the stratosphere (“internals”). But the second, and most important, is that we would actually have both hands at our disposal and a fighting chance at detecting when a kernel vulnerability had been leveraged for cheating.

Like all kernel anti-cheat products, Vanguard has been known to raise eyebrows, because who in their right mind would be thrilled at the idea of installing mandatory software solely because cheaters can’t play fair? The answer will not surprise you, because it is exactly 0.1 people, and statisticians actually suspect that the tenth of a person is a rounding error. 

Running on System Start

So, if we were going to go through the friction of asking players to install a driver, we were going to make sure it was a useful one, and unique to Vanguard, the driver component starts when the system does, affording Riot a higher likelihood of knowing when kernel space has been broken by any assortment of the above exploits. If Vanguard didn’t do this, a vulnerable driver could simply run before the game did, map in a sophisticated cheat, and then completely unload itself, hiding indefinitely from anything that might load after.

Often called the “Who Loads First?” problem, Vanguard’s driver solves for this, without any connectivity to any server, by just maintaining its own local blocklist, containing the vulnerable drivers most favored by cheaters. If one of them should ever appear, then we know the system is entering an insecure state, and Vanguard unloads. So, if Vanguard’s still there by the time the game actually launches, then we know the perimeter was sustained. By starting earlier and permitting no interruptions in its continuity, Vanguard functions as a sort of trust chain, ensuring that a vulnerability has not been utilized before the game launched.
 

Our strategy of focusing more agnostically on system security has enabled Vanguard to keep pace with cheaters in the agentic age. Above is a look at our monthly bans for internal and kernel cheats on both LoL and VALORANT. Bans are in blue on the left axis (in thousands), and the average number of daily assets identified are in red on the right axis (in singles). It’s worth mentioning that bans for local python colorbots (AI’s favorite thing to make for VALORANT), are not represented here, because frankly, there are too many of them and they are too dumb to be worth counting.

Anyways, while the cheating ecosystem is clearly suffering some agent-powered fragmentation (just like software itself), we’re happy to continue helping all the disruptors find market fit in the bans-as-a-service sector. As the barrier to entry on cheats is slowly lowered to anyone with a coding agent subscription, we are seeing more cheating assets than ever before (many even unique to individual users), but by focusing on detecting the ways they get their code into the kernel, instead of on hunting individual cheats, we are able to keep our tripwires tightened and stay alert to their slop. 

Unfortunately, up until now, maintaining those tripwires has required that Vanguard start when the system does, but thankfully …

Old and New PC Development

The good news is that Microsoft and PC equipment manufacturers have long-recognized the need for cryptographic verification of boot processes and of the kernel, so they’ve been cookin’ up heat for quite some time. The resulting oven-fresh security features require newer hardware components and newer versions of Windows, but through the power of collaboration and the combined might of our wills, we’ve worked directly with the inestimable XBOX OS Security Team at Microsoft to see improvements made natively to the Windows kernel that have finally afforded us the opportunity to offer an on-demand mode within the Vanguard product. 

Runtime Driver Attestation

If you’re with me so far, you’ve probably got the gist that vulnerable drivers are not good for competitive video games. Actually, they’re not really good for anything, unless what you want them to be good for is installing malware. Damn near a third of Vanguard’s functionality is built around policing vulnerable drivers, and that’s made all the more inconvenient by our not wanting to also impact the players that innocently use them. Up until now, doing this job has necessitated that some percentage of the anti-cheat service stay on high alert, just to make sure that nothing broke kernel space.

But now, our friends at Microsoft have lovingly implemented the Runtime Driver Attestation Report. Andrea really gets into the sauce here, but the result is a core functionality that allows anti-cheats to obtain a list of all the device drivers that have entered the game, even if said anti-cheat wasn’t running to see them do it. The service achieves this by measuring every on-demand driver into the Trusted Platform Module (an on-board cryptoprocessor), similar to the way the Windows Boot Manager already does for all of its boot-start drivers. 

You can think of this as a sort of continual, cumulative hash of all drivers that have been loaded since boot, and because this hash can only ever be extended, it’s impossible to modify without breaking the chain of trust and outright corrupting the data. Containing only the driver’s name and its hash, this service results in a secure, PII-free way for Vanguard to know if a vulnerable driver has been utilized without having to be there at all. 

Windows Version Minimum

To utilize Vanguard Pre-Check, you will need to be on at least Windows 11 25H2. This is mostly because the driver attestation report was only initially added in this version, but it’s also because, due to the natural progression of security, it gets more convenient to cheat the older your operating system is. Cheating isn’t so different from malware, and the techniques adapt to the lowest level necessitated by the environment.
 

Above on the left is the percentage of all players on an operating system that were detected for cheating in the last 90 days. The operating system versions have been organized from most recent to least recent, and what you might gather from allowing photons to bounce off of the screen and into your retinas is that cheaters seem to have developed a taste for antique Windows kernels. It would be only wishful to believe that this preference is simply the result of their being more fashionable, so it is instead the case that cheaters are deliberately downgrading their OS to take full advantage of missing software features or security vulnerabilities.

Windows 10 lacks some of the APIs that Vanguard leverages to scrutinize the communications of device drivers, and as it moves further past its end-of-life, Windows 10 is also now exposed to exploits that make it easier to gain access to game memory. So, when a particular cheater is really into wallhacking, they just downgrade into the bronze age and bring a tactical nuke to a club fight, but as you may also be able to glean from our having been able to detect them anyway, we swung the club very hard.

Hardware-Backed Security

That said, just having an up-to-date operating system is not enough. Thanks to the raw number of cheat vectors today that have external or pre-OS origins, we also must take advantage of the security assurances offered by newer physical components on modern PCs to create a “root of trust” in the system as it boots. By leveraging these purpose-built pieces of hardware, like the Trusted Platform Module (TPM) or the Input Output Memory Management Unit (IOMMU), we can make it more difficult for attackers to compromise the security of the operating system, which in turn makes it more difficult for them to get their filthy little meathooks into the game client.

Below are all the other settings that will need to be enabled in order to take advantage of Vanguard Pre-Check, accompanied also by all the other reasons we’re so into having them. This is gonna get moderately technical again, but stay with me, and we’ll plow through it with all the subtlety of a grand piano sliding down a spiral staircase. 

1. Secure Boot

Secure Boot is a feature collaboratively built by members of the PC industry, and its primary responsibility is verifying the Windows bootloader, preventing bootkits that would corrupt the operating system as it is being loaded from disk (see the earlier edutainment). It does this verification via simple check of the bootloader’s signature, using a set of public keys embedded by the motherboard manufacturer into the UEFI firmware, and because cheaters do not have access to the private keys literally owned by Microsoft, they can’t sign a malicious version of the bootloader themselves.
 

Cheaters are not Secure Boot enjoyers, because by turning it on, they lose access to one of the more convenient ways to bypass Driver Signing Enforcement and PatchGuard, meaning they can’t load their unsigned malware. In tandem with driver attestation, this dramatically reduces the kernel surface that Vanguard need be wary of.

2. Trusted Platform Module 2.0

The TPM 2.0 chip is a secure cryptoprocessor embedded on a PC’s motherboard (dTPM) or integrated into the CPU’s firmware (fTPM), for which the primary function is generation, storage, and retrieval of cryptographic keys. It operates with 100% logical independence from the device’s processor and RAM, meaning the keys are not directly exposed to the operating system or any software running on it. So, if you’re an anti-cheat developer, this immutable secret store is the equivalent of a digital one-way mirror, and if you’re an aspiring cheater, you can do only the equivalent of pressing your face against the glass.

The TPM is a necessary requirement for the very same driver attestation service we’ve championed above, but more importantly, it also works beautifully as a non-fungible form of hardware identity. A TPM’s Endorsement Key is physically burned into its non-volatile memory at the factory, so if we were to decide to ban this key on sight, any cheater hoping to bypass that ban would need to physically remove and replace their banned chip, or even more amusingly, replace the entire CPU, just to avoid re-detection. For the purposes of satisfying Vanguard Pre-Check, either discrete or firmware TPMs are considered sufficient, but if an account is restricted, only an fTPM will do. 

Vanguard Restrictions are placed on accounts that are too “botty,” “cheaty,” or “speedy,” necessitating that they meet certain hardware requirements in order to continue further into the competitive ecosystem. It’s a lot like saying “we literally dare you to enable your fTPM,” and perhaps unsurprisingly, most cheaters find themselves unwilling to do that, resulting in their immediately abandoning the account they’ve clearly stolen. That said, we can only allow fTPMs to satisfy this requirement, because discrete TPMs are often not even soldered to the motherboard anymore, and we think a hardware ban bypass should cost more than $5 and the 10 minutes it takes to pop in a new one. 

3. IOMMU

The Input-Output Memory Management Unit is a piece of hardware that acts as a firewall between PCIe devices and system memory. Without one, when a DMA request is made from a $6000 cheating peripheral, it is directly asking the memory controller for a raw, physical address in RAM, and this creates an unmitigated disaster of access policy violations where any cheater can undetectably browse the game client’s memory for anything they might be interested in, like exactly what a radar cheat does. 

But once the IOMMU enters the game, those devices are no longer allowed to access physical RAM directly, and instead, they must use only virtual addresses over the unit itself, which relies upon a translation table to get the real, physical one. This gives us the opportunity to mark game memory as unreadable, forcing the translation process to throw a hardware fault, and forcing the cheater to stare into their reflection on a black computer monitor when they try to cheat in our games.

Proper enforcement of IOMMU requires that the device’s corresponding DMA driver have support for memory remapping, and like many examples in this article, there are a few, exasperating devices that are still used by a good percentage of players but do not yet have the necessary support. This makes some annoying gaps in its protections that we must deal with, but rest assured that we are dealing with them. For the last year, we’ve been surgically placing full IOMMU restrictions onto high-ranked VALORANT cheaters that are abusing DMA, immediately rendering their wallet useless. 

IOMM me?
 

While I have you here, it’s worth mentioning that you could also read about how Riot once detected a pre-boot DMA vulnerability within all major motherboard manufacturers. When it comes to actually chipping away at DMA’s surface area, the name of the game is Vigilance, the name of the product is Vanguard, and the name of the game is actually VALORANT.

4. VBS and HVCI

And finally, we have Virtualization-based Security. VBS uses hardware virtualization to create an isolated, secure memory enclave, which then effectively operates at a higher privilege level (Ring -1) than even the OS itself (Ring 0). A convenient “feature” of our requiring VBS is that enabling it also activates Microsoft’s enforcement of its own Vulnerable Driver Blocklist, which does exactly what it says on the tin—it blocks a massive list of known-vulnerable drivers from ever running to begin with, mandating instead that they be updated or uninstalled. Anti-cheat teams are into that, because of all sentences in this article up until this point. 

Within VBS, quite a few security processes are executed that verify operating system integrity at runtime, but the one we are most interested in is HVCI. Hypervisor-Enforced Code Integrity continually polices the status of all kernel-mode memory pages by verifying them cryptographically before they’re allowed to execute, effectively preventing almost all forms of unauthorized code execution (like rogue cheat drivers). You can think of VBS as the bench, HVCI as the judge, the Kernel as the witness, and the cheater as a defendant attempting the “sovereign citizen” gambit for a traffic violation.

Anything Else?

No, that’s it, and don’t worry, I would never be insulted by a good sigh of relief. This can be a lot to process, but you don’t need to do it alone. Remember, cheaters are lazy by definition, so every security burden we bear as a community, is one more thing they might be unwilling or unable to do.

Security cannot be perfect, for if we had perfect security, then we would have no liberty. It is necessary that we strike the right balance, but even if perfect security is unobtainable, that does not mean we will simply give up. The existence of lockpicks does not mean we should not put locks on doors, and just as locks on doors increase the cost of burglary, every hardware feature we require increases the cost of cheating.
 

Above is our final stacked area chart of the evening, featuring the percentage of weekly players that fall into the three Pre-Check categories: not supported, supported but not secured, and secured. The former (in red) are players using devices that totally lack one or more of the features discussed in this article, meaning they would be unable to completely satisfy the Pre-Check requirements without upgrading their hardware, and the latter (in green) are players on devices with all the requirements already satisfied. Everyone else is listed as “supported but not secured,” indicating that they should be able to unlock Pre-Check at their discretion.

Ultimately, the number of players currently on machines that are fully secured is around 34.33% (repeating), and that figure is still growing by about 1-2% per month. While we will see it level off eventually, every single percent of players we put in this bucket is one percent of our resources that we can reallocate to the next scourge of these seven seas: damn pixelbots. 

…but, we’ll save that story for another time.

The Future

They started playing the music about 4 pages ago, so I’ll be my version of brief, which is 3 paragraphs in MLA format. 

Vanguard Pre-Check is essentially our way of doing proactive, voluntary trust segmentation for real players and genuine hardware. You see, as the barrier to botting gets lower and lower with each subsequent “AI” model, we must inversely increase the barriers to get into the competition. While it might seem like it would be an interesting spectacle to see an AI play League of Legends or to see a mechanical arm play VALORANT, we already know that scripts can perform inhumanly well, because that’s exactly what cheating has become. 

Aimbots and scripts eliminate the skill-based elements from the determination of a victory, cheapening the practice, the trophy, and the sport itself. We don’t have chess engines in tournaments, we don’t use pitching machines in the World Series, and we don’t put motorbikes in the 100m dash. The point of human competition is to compete against other, imperfect humans, and our imperfections are exactly what makes it a sport. While we may eventually spectate the bot olympics, the human olympics would still be a separate event, and we’d likely never combine them for obvious reasons, not least of which would be cleaning up after men’s wrestling.  

Ultimately, for competitive online spaces to persevere, it is necessary that we be able to trust the endpoints that the games are played on, so as it evolves, you can start to think of Pre-Check as a “proof-of-life” layer for gaming. That said, friction is not fun, and we prefer incentives to requirements. For that reason, our trust segmentation will be surgical, and while we might add more checks to Pre-Check in the future, we plan on keeping things optional until you’re in the most competitive segments, on the strangest devices, or amongst the highest ranks.

Anyways, my name was Phillip Koskinas, and it has been 12 years, 6 months, and 28 days since I last cheated in a competitive video game. Thanks for being you, thanks for reading all 7060 words of this novel, and thanks for playing fair this last decade.