Valorant is successfully combating the issue of cheating within the realm of PC gaming.
Riot Games' commitment to its Vanguard system is yielding positive results.
Multiplayer gaming on PC faced significant challenges in 2020. Developers encountered difficulties in addressing rampant cheating as an increasing number of individuals engaged in gaming at home during the COVID-19 lockdowns. Titles such as Call of Duty: Warzone, PUBG, and Destiny 2 were plagued by players utilizing aimbots for automatic targeting and wallhacks to gain visibility of all players on the map.
In contrast, Riot Games' Valorant distinguished itself with its contentious and robust anti-cheat mechanism, Vanguard, which effectively deterred cheaters. Four years later, it is evident that Vanguard has achieved notable success in combating PC cheating, surpassing other anti-cheat solutions.
“We don’t observe as many cheats attempting to operate on the machine and gain access,” stated Phillip Koskinas, the director of anti-cheat for Valorant, in an interview with The Verge. “It has simply become too cumbersome for cheat developers.”
Vanguard has significantly complicated the use of aimbots and wallhacks for PC gamers. This is largely attributed to a controversial kernel-level driver that remains active after the PC is booted. Riot’s Nick “Everdox” Peterson devised a system within Vanguard that identifies when cheat engines attempt to access Valorant. “He developed a rather innovative method to detect unauthorized mappings into kernel memory,” Koskinas explained. “The technique is so clever that I cannot disclose it, as it would be too easily understood by others.”
The described method appears to function similarly to the process of opening a piece of hardware, where small plastic clips detach, signaling to the manufacturer that the warranty has been voided. "Once that occurs, we are aware that an event has taken place, and we simply await confirmation of cheating activity in Valorant," states Koskinas.
This situation has prompted cheaters to increasingly rely on hardware solutions to circumvent detection systems. A prevalent technique employed by cheat engines now involves direct memory access (DMA) through specialized hardware. "Essentially, you are utilizing a PCIe card to request readings from physical memory," Koskinas elaborates. "They have devised methods using these cards, with Squirrel being the most notable, to conduct traditional memory scanning entirely externally."
Consequently, a cheater may operate a secondary computer that scans the memory space of Valorant, searching for player locations. This secondary PC, equipped with a monitor, can display a unique radar that reveals the precise positions of opponents. Such a cheat is particularly detrimental in a game like Valorant, where players depend on strategy, positioning, and stealth to gain an upper hand.
Riot has also implemented strategies to identify this new form of hardware-level DMA cheating, thanks to Peterson's innovations. His creation effectively prevents suspicious devices from accessing internal memory reads. I recently encountered a problem with this DMA protection, as Vanguard began blocking my network card each time I entered a Valorant match. Riot maintains a list of trusted hardware and firmware, but the network card integrated into my motherboard employed a method that appeared dubious. The issue was resolved within hours, yet it demonstrated the efficacy of Vanguard, which was capable of disrupting my PC's connectivity until I performed a reboot.
The majority of cheats currently utilized in Valorant primarily consist of triggerbots, which are programs that employ screen readers to monitor the center of the display and automatically fire when a player's crosshair aligns with an enemy. According to Koskinas, these triggerbots represent approximately "80 percent" of the cheating activity within the game.
The implementation of Vanguard in League of Legends earlier this year has significantly diminished the prevalence of scripters. In August, the League team disclosed that over 175,000 accounts had been banned for cheating since the introduction of Vanguard.
While this development is promising for both Valorant and League, the outlook is less favorable for other game developers who rely on their own anti-cheat mechanisms. A recent study conducted by the University of Birmingham indicated that cheats for Activision’s Call of Duty: Warzone remain both accessible and inexpensive, with Activision’s Ricochet anti-cheat system proving inadequate against more advanced cheats. Activision was even compelled to rectify an anti-cheat exploit in Warzone and Modern Warfare III that resulted in the wrongful banning of legitimate players.
“Ricochet has skilled individuals on its team, but they evidently lack sufficient funding and autonomy,” states zebleer, the creator of Phantom Overlay, a widely used cheat engine for games such as Call of Duty and Overwatch 2. “Call of Duty is inundated with cheaters. They are applying temporary solutions rather than implementing necessary long-term strategies, likely due to restrictions imposed by Activision.”
Zebleer believes that Vanguard is effectively combating cheaters, attributing this success to the anti-cheat team’s access to funding, expertise, and operational freedom. Riot has recruited engineers with prior experience in developing cheat engines, including Koskinas, who created and sold cheats over 15 years ago to support his academic pursuits.
Researchers at the University of Birmingham have concluded that Valorant possesses the most effective anti-cheat system, securing the top position in their rankings. Following Valorant, Fortnite, which also employs a kernel-level system, was noted for its anti-cheat capabilities. In contrast, Counter-Strike 2, Battlefield 1, and Team Fortress 2 were placed at the lower end of the spectrum.
The study also pointed out vulnerabilities within Windows protections that enable cheat software to infiltrate the kernel, akin to the behavior of malware. In light of the significant CrowdStrike incident, the issue of Windows kernel access has gained prominence, prompting Microsoft to explore methods to assist CrowdStrike and other security firms in operating outside the Windows kernel environment.
Riot Games is seeking Microsoft's assistance to enhance the security of Valorant. Koskinas remarked, “Microsoft has become much more proactive in revoking certificates for malicious drivers. We tend to align our efforts with what Windows is prepared to implement, so if they begin to mandate virtualization-based security, hardware-enforced stack protection, or hypervisor code integrity, we will utilize those protective features and reduce our reliance on the kernel space.”
In a forthcoming update, Vanguard will only activate upon the game's launch, contingent on the use of the latest Windows 11 security features, rather than being perpetually active from system boot. This change is expected to alleviate some privacy concerns.
Currently, Riot's anti-cheat efforts are concentrated on Windows, with no intentions to support Linux for either Valorant or League of Legends. Although the Steam Deck accommodates certain anti-cheat systems, developers like Riot are increasingly hesitant to engage with Linux. Koskinas stated, “The kernel can be manipulated freely, and there are no user mode calls to verify its authenticity. It is feasible to create a Linux distribution specifically designed for cheating, which would pose a significant challenge for us.”
Respawn has recently ceased support for Apex Legends, citing concerns similar to those expressed by Riot regarding cheating. Additionally, Epic Games has chosen not to support Fortnite on the Steam Deck or Linux platforms due to insufficient user numbers. Koskinas remarked, “Imagine if Steam Deck just has the security handled so we know it’s a genuine device, it’s fully attested, all these features are enabled, we’d be like cool, go game, no problem.”
While Riot appears to be effectively managing traditional PC cheating, it may soon face challenges from AI-driven cheating methods. This could arise from specialized hardware, such as MSI’s monitor designed to facilitate cheating in League of Legends, or increasingly sophisticated screen readers. Riot is particularly wary of image reading technologies. Koskinas noted, “That is where all cheating is heading. We’ve done a lot of research into what human mouse and keyboard input looks like, but it is a concern.”
A potential future scenario could involve a conflict between AI cheats and AI detection systems in a virtual battleground. Koskinas acknowledged, “We’re at a disadvantage, honestly. [AI models] can learn what human input looks like.” Currently, Valorant is prevailing in this ongoing struggle, but the emergence of AI could significantly alter the dynamics of this continuous cat-and-mouse game.