@@iris.87 You are seriously STILL defending this shit. What makes you think that a company that thinks it's ok to charge 200 dollars for a skin cares about proper signing? Vanguard has bricked PC's, that's all the proof one should need to not trust that crap.
@@nzeu725 please explain how usermode access differs from kernel mode access in terms of a security concern, and please dont say legality as said in the video (hes wrong)
@@iris.87 User mode is in the most outer ring of the operating system, meaning that it has the least permissions. The kernel mode access however is in the most inner ring, the same as the kernel. That way it dosen't need permission to do things so whereas a normal anticheat would need to get permission to do something a kernel mode access anticheat can do it without asking and without anyone knowing. It can also tweak with the system like the kernel can.
I uninstalled league the moment they announced Vanguard. I'm not giving kernel level access to any 3rd party, much less one like Riot with its 'well known' investors
OK, moving into your kitchen now. Open all the cupboards, not closing them, though . Rearranged your knifes,forks and spoons so now small spoon on the left. I've hidden the rest ..
2:03 Good comparison... except the fact that he is not a police officer, but a simple agent of a private video game company, known for its links with the CCP x)
The only good thing out of this is that I can laugh at every new exploit someone finds against Vanguard and laugh at the people who were defending this garbage back then.
@@dimitrisadvanced He's right, i watch a twitch streamer who streams his scripting games, this Vanguard anti cheat is more loose than other Kernel anti cheats like in Faceit. Ideally, nothing really changed, newbies players to the cheat scene who used free scripts without any protection are getting banned just like they used before Vanguard, and the hardcore cheaters, who uses spoofed cheats are still out there unbanned at high level elos matches... The price of the cheats are higher but it doenst matter much.
Assembly is not that scary, for hacks smeared across the code caves it would be good enough, there likely won’t be too complicated high level code. Likely the hacks themselves would originally be written in assembly, as it’s what you do with codecaves. Human written assembly instead of that generated by a compiler is even easier to comprehend.
When you reverse-engineer an unknown executable, you often get just assembly code, because compilation is not a reversible process (except in some circumstances).
Is there an easy way to check what programs have kernel privaledges? How would you go about purging games with kernel level anticheat and how can you be sure that they leave no trace once they are removed?
@@sansmoraxz Once you have given real kernel level access, you are more or less looking at the same kind of persistence question as hacker are using. At that point it's an arms race getting it off without just ordering a new machine. I remember of proof of concept attack that would survive on a HDD after a total re-write (it was hacked into the HDD's firmware) and I think I've heard of one that sits in very early stages of the BIOS boot code (it basically owned your system before it had booted enough for you to ask if it was even there or even _try_ to flash the BIOS).
Same thing. I am an engineer. Also to install and run vanguard you need to change a setting in BIOS that disables virtual machines. This is a huge no no it directly affects my job and it’s disgusting how stupid their management team is now
Privacy is one problem, security is another. Because is any malicious actor gets access to the vanguard anti-cheat, they can use all the permissions it has. That is, everything.
@@Max128ping I do not know that much about cheats, but from what I know about memory reading and manipulation that is not true. The cheat program can trust the cheater to give it access to all relevant processes, while the anti-cheat has to find those by itself. There may be kernel level cheats, but from my understanding there is no reason for that unless they are trying to counteract specific kernel level anti-cheat programs. Also, the big difference is that a cheater decides that he wants the cheat and can take a calculated risk. It is unreasonable to expect to take this risk from everyone who wants to play a game.
It needs to be announced clearly that playing the game online requires this anti-cheat software, at which point you can investigate online before buying and/or installing. But, assume that it is the worst, because it likely is.
And note, Tencent owns Riot, and Tencent's products routinely report back to the CCP. That is why they're so anxious to get into your kernel, because maybe someone has something useful on their rig.
Very true, also every other product we use like youtube Instagram Facebook reports back to the cia Why don't people focus on this more? It bothers me a lot.
from what I know of, DMA can be detected usually in very simple ways. EAC and faceit tend to check the serial numbers of pci-e cards to determine if its a legitimate card or a DMA device. EAC or faceit (cant remember which) will take the extra step and try to call certain functions on the PCI-E card to see what data it returns, so if it calls for the same function the most common DMA device uses and returns data from memory then it is a definite DMA device and will know you're cheating. This is a good way to get around people who spoof the serial of the device to make it seem if it is a nvidia gpu etc.
A DMA card is basically a PCIe expansion card that you plug into your PC. So it's recognized by the system as an additional piece of hardware that can be observed as such. To remain undetected you need to spoof several info such as the hardware id and "look like some legit hardware" such as a network card. Obviously, if a lot of those DMA cheaters flashed the same config onto their DMA card, chances are high that anti-cheat devs find a pattern in the data they captured. If i recall correctly, that's what riot did when they banned a lot of them. They found out that they all spoofed a specific network card.
Thank goodness I get most kicks out of games that are open source and receive donations, to which I contribute. This is a business model I can get behind. Lately Battle for Wesnoth and OpenTTD captured my interest. Mainly because I have no time for gaming. No thank you stay out of the kernel. If you are a programmer and have a time for streaming, you are not a really good programmer, because programming pays much more than decent streaming.
My issue with this is that cheater aren't using injection cheats. At least not the good ones. They have DMA cheats or other ways that require something either more invasive or entirely new to catch. Someone with Google and $40 can figure out how to do this. Especially frustrating in very high ELO fps lobbies like I'm used to playing (cs faceit10/valorant imt3)radiant.) these dudes without something more invasive can just run free. Unless they have something that can detect if something is reading the memory that shouldn't be.
With vanguard the only way to be sure that it is gone is to format and do a clean install of your OS. I'd go as far as to do so for all of your drives (if you have multiple) even if the other ones didn't have it installed, since it could have left traces of itself everywhere. That's something that Thor didn't mention, kernel level access isn't just access to all of your memory, it's full access to all of your hardware, with full permission to do whatever it wants.
Vanguard currently only takes screenshots of the fullscreen window of your client and/or your game (a match for example), a common process for most anticheats, it even have checks in it's codebase to make sure it's printing the actual game window. I don't like how Vanguard works, but uninstalling it the traditional way and removing any temporary files and folders are enough.
This is why I am unwilling to support games with these programs in them. "Least necessary privilege" (or whatever other jumble of words you'd like to call it) has kept me and my organizations fairly secure for decades--I see no reason to change that now.
Wipe your hard drive and reinstall your operating system. If you trust the author of a kernel level program, then you might be able to use their uninstaller but... if you're removing it because you don't trust them I wouldn't trust that they're removing everything.
@@futuza wouldn’t they have to break the law to leave stuff on your system after you have revoked consent? Assuming that they’re aware it would be illegal, they’d have to have a very funny love of risk to justify doing that. I mean the government could close down their business for that if they got caught
So how do we “unaccept” kernel level anti cheats? Can you give an example of what anti cheats use it as well, so I know what games I need to potentially stay away from?
So how soon will the cheaters switch to running the game in a hardware VM and putting the cheat code in the hypervisor? Or heck, feed the monitor output to a video in device on another machine, ML the data the bot needs from the video stream and feed back the commands to the USB ports on the first machine? Heck, I'd bet someone already makes a "hardware video embeder" chip (or FPGA module) for doing real-time processing of camera feeds so that might not even take a very powerful second machine.
Very little knowledge of this but: What stops you from filling the allocated memory of the game with 1's. And the moment you notice any of them change without the program's doing, insta ban?
@@alexisJonius They only design the program to be able to handle up to 80% 1's because no normal use case would go above it. Once it's all 1's it would be too heavy and the bottom would break and the program would spill out onto your computer
@@alexisJonius Because a program is literally a list of instructions and if you change all the instructions to be nonsense then you can expect undefined behavior which is almost 100% certain to cause a crash.
@@alexisJonius What you're suggesting is one of two things: (1) fill all available system memory with 1's, which will crash the system the moment something tries to use memory that isn't available and it can't free it fast enough. You'd be destroying system wide performance and stability, and the only way to avoid that would be to (2) pre-allocate memory for the game to run in, fill that memory with nonsense, and then dynamically free and reallocate memory as needed for game resources. Not only does that essentially guarantee all sorts of bugs, but it actually creates a new attack vector since an attacker could target the free/reallocate feature in such a way as to be indistinguishable from intended behavior. Even though games already run these kinds of dynamic free/reallocate features, they don't run inside of a pre-allocated memory space which is being filled with nonsense. It actually makes it easier to distinguish intended from unintended behavior that way. Your idea would increase the likelihood of bugs AND attack vectors at the same time without improving performance, stability, or security. In other words, there's a reason no one has done this.
If you use kernel level anticheat I cannot buy your game because it won't work. The underlying accesability fixes I require on the OS to run the game at all are completely incompatible with kernel level anticheat.
If you are someone who is reliant on accessibility accommodations to be able to use a computer you are probably not someone who is playing fast-paced competitive games such as the one being referenced in this video
@@kakorotskywalker specifically talking to the person who “won’t buy this game” because they didn’t watch the video and don’t know wtf they are replying to
yes that is pointed out at 1:32. So, I think that is what Vanguard is trying to catch when process injection is being circumvented by duplicating the memory- it’s surveiling the machine for either anything looking like a copy of Valorant memory or(perhaps) the instructions of any process copying memory allocated to another process as flags for cheating behavior
@@toooes he argues that kernel level anticheat is like allowing cops in your house without warrent which is a truth to an extent, but here is the REAL problem. Cheaters that abuse DMA, hardware, and kernel cheats are uncommon in low elo Cheaters will be all bunched up into high elo The % of cheaters in games is so much more higher in high elo Streamers and top players start complaining and recommends normal players to stop playing. Even complaints will cause normal players to be suspicious of good players (this is the state of cs2 matchmaking) your game dies and no one wants to play it you make no money, because your whole dependence on money is abusing playtime to sell skins. So his argument is true to the extent that your letting the cops in, but in the other sense the game wouldn't exist if it didn't make money. FPS game market is a WHOLE different market than MMO bot farming.
Well, you answered the whole question with yes, but only part of it is yes. The anti cheat is not allowed to upload the data to their server, at least in europe because of our data protection laws(dont know about US laws tbh). So yes, it can see the whole ram, but it is not allowed to upload the data to any server etc.. So the question is first part yes, rest is no and the rest is the most concerning part cause here, the data can be seen by the AC locally on your pc, but also only processed there. No data not pertaining the game can be sent to a riot server and many people tried to prove that riot does this but couldnt find any. No network packages etc. I think its dangerous to take such a compound question, just take the first part and answer it with yes disregarding the rest cause that creates the assumption that all of the question was correct. I dont think you did it intentionally, but its still misleading.
There are still many concerns with kernel level anti cheat even with that in mind. So much so that your point is unfortunately moot. For starters, at the end of the day if the code isn't open source, you cannot trust it. The government and the game company can promise that none the data isn't being sent to the server all they want, but that doesn't change the fact that they can still do it and potentially get away with it. Google getting caught (and sued I believe) for still tracking your incognito searches to use for ads comes to mind. Secondly, Kernel level anticheat still has the issue of security. It is bad practice to expose the Kernel of an os to any program willy nilly as kernels were invented mainly for security- ie preventing random (and untrusted) programs from having free reign on the computer. Recently, a ransomware virus has been getting around thanks to it's ability to latch onto Genshin Impact's Kernel Level Anticheat and use it to bypass windows defender. Laws only affect those willing to play nice or those without the ability to pay for good lawyers. You did mention that people tried to prove that Riot doesn't send data to their servers in EU, but that way alone isn't exhaustive for *any* strategy that they could use to obfuscate that data collection nor does it prove that they won't start doing it later on. While I agree that making such an act illegal is a step in the right direction, at the end of the day, the better thing to do is to find an alternative to KLAC entirely.
I just wish that despite all of the warnings against it, the complete lack of abuse of such platforms is weird. People like to draw threads like Vanguard is owned by Riot and Riot is owned by Tencent and Tencent is a "supposed" CCP entity. Yet not a single soul was able to prove any of it is going anywhere in this techy and information age. That being said if regular anti-cheat was reliable I wouldnt bat an eye. But it works. If anything, non-kernel level anti cheats have lost a lot of faith. Valorant is a haven compared to CS because of the complete lack of cheaters in my experience. I just cant imagine a scenario where my data getting stolen by some big corpo or country will ever change my life unless im fucking with things that need protection. If Vanguard was stealing everyones data, what for? To all at once take over the world via video game anti-cheat. Obviously we leave the door open but until any cybersecurity specialist comes forth and says what theyre doing, whats the point. No point listening to people rambling about how China is a vampire that owns Tencent and wants to harvest our data to build a mega rocket to nuke the moon.
If you cannot imagine a scenario where this might needlessly impact you negatively, it flaunts your ignorance on the subject rather than debunking the concerns about kernel-level anti-cheat. You ought to heed to advice of the security experts instead.
It's less about any personal impact on your privacy, and more about keeping a check on how much these corporations gain power overtime by not having this privacy-breaking behavior be normalized. It's analogous to voting on a political candidate. Your vote itself won't have any sizeable impact, but raising awareness is important on the bigger scales.
2:14 ...except that isn't true in an awful lot of places now... They demand entry, you say no, they call for backup, cause a massive scene, gain entry other than the front door, ransack your house, find no evidence of a crime, leave, and suddenly your phone, laptop, and various other personal belongings are gone, and since you had no way of recording them doing it, there is no evidence the police took anything.
Tell that to players who are playing at the highest level, for money. It might not matter to us normies, but having a reliable way to detect cheaters is definitely a necessity
It is not a relyable way to detect cheaters. And in settings where there is money at stake the compuiters in use are heavily monitored, so the whole issue of not having control over clientside data becomes irrelevant.
You need both. You need machine learning based algorithmic anti-cheat to flag things in real time, with edge cases and appeals then being handled by people. It's not cost effective to have swarms of people watching live gameplay, unfortunately, companies go the opposite direction and gut their entire anti cheat teams after setting up an alpha state anti cheat tech stack, make sure it has kernal level access to they can accumulate more granular data than they need, and flip that data on the back end to advertisers for an additional stream of income, on top of the cut wages.
@breeban3388 actually the opposite, paid matched done on private servers not in public lobbies, so they are not affected. And if someone decided to cheat they can easily be caught because they being monitored very closely by organizers (apex situation is a shitshow and outlier). Rampant cheating in public lobbies on the other hands kill games. Because no matter how good top 100 players are, if there no people playing the game it's dead.
Not true at all. this kind of anticheat automatically can ban code/input injection, leaving only the most clever methods i.e. reading memory through a hypervisor and mocking the thread input message queue or computer vision/color vision bots.
But like, isn't the cheats also having access to your kernel? It's kinda untrustworthy from riot but i would rather trust them with this than someone literally making illegal cheats to have this kinda of access to my stuff
the amount of bs is crazy league is a competitive game where most of the scripter where in master+ (crazy right?) wow has had botters, cheaters and duppers in a way bigger amount and blizzard did nothing about one company cares the other one doesnt
ye fr its crazy how much people cry about rampant cheaters in cs2 and other usermode anticheat games then bitch when big scary kernel driver is present
Well, are you willing to sell your soul and shake the devil's hand, just to reduce the chance of cheaters? It's not even 100% efficient btw, cheaters can get around that. It just increases the barrier of entry, and once it is breached (which they frequently do), they distribute new programs (or whatever) to cheat. The alternative is a simple cheating-reporting system and server-side detection of cheating. This is what I am going to do as well for my game. The server will check every ~10th data package incoming (otherwise it would be too much) (for example the player's position) and when it detects something weird (too much distance in too short of time), it will increase the suspicion level of that player and check more frequently (or all packages). After all it could have been some mistake, but to be sure it needs to detect that behavior multiple times. Someone who cheats once will cheat multiple times. And it doesn't require any invasive client-side programs, and I don't need to play arms race with cheaters on a highly complex kernel level. All it takes are some smart algorithms.
The trick is to find developers that make games that make everything server side and do not trust the client for anything. For example, your Bank likely doesn't trust their banking client app not to do naughty things with money.
@@futuza yeah its so easy to find a GTA alternative that plays exactly like GTA does and has exactly the same story and characters GTA does... oh wait.
*I really don't mind it because I play a game with a massive cheating problem that kind of ruins the whole thing and by one conservative estimate there is a heater in 50% of the lobbies.* So Thor's proposition of the police constantly looking at your kitchen is a lot more reasonable when half the time you go in your kitchen there's a random naked person standing in it
@@hd-bild1513 explanation is garbage and 0 logical thought. he argues that usermode is safer because its "against the law" to access user files, and that kernel mode access allows anticheats to just randomly upload files to their servers for analysis legally. dumbest thing ive heard in a while, this is NOT how vanguard works nor ANY km anticheat outside of China (ive heard ACE can just randomly upload files to their servers for analysis). idc about kernel mode anticheat, and i dont think its the perfect, ideal solution, but this is just fear mongering for no reason
@@iris.87 @iris.87 its not super illogical to not not trust a list of corporations to not peek at your data, especially when you explicitly allow them to (aka its not illegal to take a screenshot of your PC if you explicitly install a kernel level program, Right?). I mean look at google. Also the uploading screenshots thing seems like it's real to me. And riot is owned by a Chinese company and, not to hate on China, but they do have a rep for peaking where they shouldn't.
ring 0 ac is basically an easier way to have an anticheat, since it has a very deep control of your hardware. But assembly written ac can easily be better than kernel ac. Kernel (ring 0) ac is just a lazier way to have a strong anticheat,
in truth, NOTHING needs Kernel Level Access to your computer other than the Operating System and the Antivirus measure shipped with it (Meaning like Windows Defender, not any pre-built OEM contract programs). Any other program that wants Kernel Level access is something that isn't needed, and is a huge privacy concern especially in our capitalist society that loves to get your information in any way possible and sell it to the highest bidder. A kernel level anticheat may be more efficient at its job in some scenarios due to it's capability to access all memory on the machine, but at least in my opinion, that added efficiency is nowhere near worth the privacy violations that can legally occur since you're willingly giving them kernel level access to do whatever they please on your machine. This also means that if, somehow, that kernel level software, which has been given permissions, gets highjacked by malware, it can now do whatever the hell it wants, and your antivirus will most likely never detect that it's there. Edit: Fixed a wording oversight when referring to installed antivirus programs, I originally said any installed antivirus, which is definitely not the right call, especially with Pre-Builts being shipped with bloat like Norton or McAfee. Thanks to @iris.87 for pointing that out.
@@raviexthegod quick reminder that usermode antiviruses have literally sold ur data in the past, not really sure why you think antiviruses are safe, or that you need kernel mode access to find & sell said data..
@@iris.87 not saying that you need kernel level access to find data, what I'm, saying is that, similar to Thor's analogy in the video, would you rather the cop have to get a warrant to come in, i.e. find a way to scrape data, or just give the cop verbal consent to rummage around as they please, i.e. kernel level access. And with the antivirus I was referring to Windows Defender, which, while part of the OS and it does ship with it, it's a separate program in and of itself that integrates deeply with the OS. I simply worded it wrong, re-reading my original comment.
There never was a problem. They engineered this problem by deliberately doing nothing regarding cheaters, so they could implement their invasive solution. Cheaters were never a big deal in league when they were actually using their server side detection, and any issues in high elo could be solved by hiring a single person to manually review games. But their corporate overlord enemy government wanted access to more data, so we get this mess.
Never trust a client, do all calculations server side. Multiplayer game devs have known this since the '90s, but it's hard to do so they implement these lazy fixes. Also if your game doesn't make that possible, you have a bad game design and you should be making a single player game instead or hiring more competent devs. The only other solution is to make sure that you game on a computer that is only used for the kernel level anti-cheat game and nothing else. But requiring consumers to have two PCs is a terrible idea.
@@futuzathat doesn't change anything, it's already what's happening in 99% of games and I'm saying 99% because of gta online and that's it, wallhacks and aimbots are not affected by this at all
@@bapoTV wallhacks are mostly a client side issue, if clients remove walls the server should not be giving them information about what lies beyond that. With aimbotting it's a fairly minor issue that pretty much only affects the FPS genre and is easily fixed with a robust reporting system and some statistical tracking.
@@hanz.b_ Hi, i really suggest trying dual boot, i really like TFT (i don't play much league) and so after vanguard happened i couldn't play for a long time. Then i switched from NixOS to dual booting ubuntu and windows 10! It's really easy if you have the memory for it, around 300-200GB for windows will be more than enough. You can make the partitions yourself, and more importantly you can play most games on ubuntu now with drivers actually being updated and patched to linux kernel 😂.
it can also lead to massive data breaches if a vulnerability from a kernel level anticheat is ever discovered by malicious actors (who will try to because it'd be a giant prize to black hat hackers) so you better hope that any kernel level anticheat you put on your machine is coded with absolute iron security AND that no novel ways to exploit it are ever discovered.
If kernel level stuff looks at the entirety of your PC, why are there still cheaters? There is no more to offer the anti-cheat software and company. Yet they still fail to ban the cheaters. It makes no sense. What more could they want
because modern cheats are in the kernel too and can hide themselves, it's a cat and mouse game as always, there's also DMA devices now which are basically hardware cheats
@@bapoTV good catch, I wonder how much deeper this will go, competitive games by nature have this problem and I don't think there will be a definitive solution that is not intrusive, maybe the way is just have a spare machine just for gaming and plug a kvm switch to change from work/personal to gaming rig, dunno.
Thor doesn't want us standing in his Kitchen naked.
There goes my weekend plans :(
The recent crowdstrike disaster is a perfect example of what happens when you let 3d party programs into your kernel. Riot deserves to go bankrupt.
are you stupid on purpose? or does it just come naturally to you?
not really true at all, its simply because cloudstrike doesnt like waiting for microsoft on proper signing
@@iris.87 You are seriously STILL defending this shit. What makes you think that a company that thinks it's ok to charge 200 dollars for a skin cares about proper signing? Vanguard has bricked PC's, that's all the proof one should need to not trust that crap.
@@meropticon_1651 i could care less about defending riot, i just hate when people yap about things that aren't true (e.g. vanguard bricking pcs)
Crowdstrike just had a corrupted file lol it has nothing to do with kernel anti cheats
Kernel level is basically do whatever the fuck you want
nope
And i am totally fine with it
@@iris.87 well yes, it's at the level of the kernel
@@nzeu725 please explain how usermode access differs from kernel mode access in terms of a security concern, and please dont say legality as said in the video (hes wrong)
@@iris.87 User mode is in the most outer ring of the operating system, meaning that it has the least permissions. The kernel mode access however is in the most inner ring, the same as the kernel. That way it dosen't need permission to do things so whereas a normal anticheat would need to get permission to do something a kernel mode access anticheat can do it without asking and without anyone knowing. It can also tweak with the system like the kernel can.
I uninstalled league the moment they announced Vanguard.
I'm not giving kernel level access to any 3rd party, much less one like Riot with its 'well known' investors
Same, I miss lol a little bit but it's not worth it.
You miss it but I bet your mental health is so much better@@AreaNeraTV
i have to thank Riot for this change.
Stopped me from being addicted from League, uninstalled right away
Same. It was the one thing I would not accept
You have nothing of value for them to steal lol
It's pronounced "malware"
You can choose not to have it on your pc... Generally don't have that choice with malware
Rootkit*
@@arc8588 I would question if all or even most customers are making an informed choice there
OK, moving into your kitchen now. Open all the cupboards, not closing them, though . Rearranged your knifes,forks and spoons so now small spoon on the left. I've hidden the rest ..
More people need to see this now that GTA has forced Battleye on players.
Yeah I think I’m gonna keep my PC gaming to what I can run on my Steam Deck
2:03 Good comparison... except the fact that he is not a police officer, but a simple agent of a private video game company, known for its links with the CCP x)
The only good thing out of this is that I can laugh at every new exploit someone finds against Vanguard and laugh at the people who were defending this garbage back then.
Any luck? Oh wait still nothing lets see how much time it takes to admit you are wrong
@@dimitrisadvanced YOu are sick in the head
@@dimitrisadvanced He's right, i watch a twitch streamer who streams his scripting games, this Vanguard anti cheat is more loose than other Kernel anti cheats like in Faceit.
Ideally, nothing really changed, newbies players to the cheat scene who used free scripts without any protection are getting banned just like they used before Vanguard, and the hardcore cheaters, who uses spoofed cheats are still out there unbanned at high level elos matches... The price of the cheats are higher but it doenst matter much.
1:20 in.. ASSEMBLY?
Assembly is not that scary, for hacks smeared across the code caves it would be good enough, there likely won’t be too complicated high level code. Likely the hacks themselves would originally be written in assembly, as it’s what you do with codecaves. Human written assembly instead of that generated by a compiler is even easier to comprehend.
When you reverse-engineer an unknown executable, you often get just assembly code, because compilation is not a reversible process (except in some circumstances).
Its always assembly
Is there an easy way to check what programs have kernel privaledges? How would you go about purging games with kernel level anticheat and how can you be sure that they leave no trace once they are removed?
Reformat your harddrive and reinstall your OS is the only way to be mostly sure.
Win+R -> msinfo32 -> Program environment -> System drivers
@@futuza Bing ahh answer
@@futuza until they compromise the damn bios and efi. now you need to flash your bios too.
@@sansmoraxz Once you have given real kernel level access, you are more or less looking at the same kind of persistence question as hacker are using. At that point it's an arms race getting it off without just ordering a new machine. I remember of proof of concept attack that would survive on a HDD after a total re-write (it was hacked into the HDD's firmware) and I think I've heard of one that sits in very early stages of the BIOS boot code (it basically owned your system before it had booted enough for you to ask if it was even there or even _try_ to flash the BIOS).
Education is important. Our computers should be private.
stopped playing since the vanguard addition. Sad cause i really liked tft 😑
Same i recently wanted to reinstall it, then vanguard popup stopped me... I'd rather play Dota2 again lol.
Yeah, same here. Vanguard is the only reason I quit League of Legends.
Same thing. I am an engineer. Also to install and run vanguard you need to change a setting in BIOS that disables virtual machines. This is a huge no no it directly affects my job and it’s disgusting how stupid their management team is now
Pretty sure you can play tft on mobile without Vanguard
He who trades privacy for security; deserves neither, and will have none.
I do believe you are writing this comment from an undiscovered island, because every other place on this planet lacks freedom.
Great explanation!
Thanks for the clip!
Privacy is one problem, security is another. Because is any malicious actor gets access to the vanguard anti-cheat, they can use all the permissions it has. That is, everything.
Same as cheaters, you don't need kernel access if the cheats doesn't use it. But they do, and cheaters give a middle finger to their own privacy
@@Max128ping I do not know that much about cheats, but from what I know about memory reading and manipulation that is not true. The cheat program can trust the cheater to give it access to all relevant processes, while the anti-cheat has to find those by itself. There may be kernel level cheats, but from my understanding there is no reason for that unless they are trying to counteract specific kernel level anti-cheat programs.
Also, the big difference is that a cheater decides that he wants the cheat and can take a calculated risk. It is unreasonable to expect to take this risk from everyone who wants to play a game.
How do you know if the game is asking for kernel-level anticheat? Is it buried in the TOS somewhere?
It needs to be announced clearly that playing the game online requires this anti-cheat software, at which point you can investigate online before buying and/or installing. But, assume that it is the worst, because it likely is.
Thankfully it seems steam has made it so it'll need to be revealed on the store page from now on.
Thanks, nice to know I was kinda right.. :)
And note, Tencent owns Riot, and Tencent's products routinely report back to the CCP. That is why they're so anxious to get into your kernel, because maybe someone has something useful on their rig.
Very true, also every other product we use like youtube Instagram Facebook reports back to the cia
Why don't people focus on this more? It bothers me a lot.
Steam also has CCP backdoor, it's stupid for Valve to create 2 bins with minor code tweaks.
3:04 what about DMA? can none kernal anticheats detect that?
easily detectable in its current state, dma is awful on eac (not eos), vgk, faecit, esea etc
from what I know of, DMA can be detected usually in very simple ways. EAC and faceit tend to check the serial numbers of pci-e cards to determine if its a legitimate card or a DMA device. EAC or faceit (cant remember which) will take the extra step and try to call certain functions on the PCI-E card to see what data it returns, so if it calls for the same function the most common DMA device uses and returns data from memory then it is a definite DMA device and will know you're cheating. This is a good way to get around people who spoof the serial of the device to make it seem if it is a nvidia gpu etc.
A DMA card is basically a PCIe expansion card that you plug into your PC. So it's recognized by the system as an additional piece of hardware that can be observed as such. To remain undetected you need to spoof several info such as the hardware id and "look like some legit hardware" such as a network card. Obviously, if a lot of those DMA cheaters flashed the same config onto their DMA card, chances are high that anti-cheat devs find a pattern in the data they captured. If i recall correctly, that's what riot did when they banned a lot of them. They found out that they all spoofed a specific network card.
@@fortender97x ye that was prlly the ekknod fw, but atp most of the fw is invalid anyway
@@AruthaRBXL so it's detecting the dma device and not the dma itself?
Thank goodness I get most kicks out of games that are open source and receive donations, to which I contribute. This is a business model I can get behind. Lately Battle for Wesnoth and OpenTTD captured my interest. Mainly because I have no time for gaming. No thank you stay out of the kernel. If you are a programmer and have a time for streaming, you are not a really good programmer, because programming pays much more than decent streaming.
My issue with this is that cheater aren't using injection cheats. At least not the good ones. They have DMA cheats or other ways that require something either more invasive or entirely new to catch. Someone with Google and $40 can figure out how to do this. Especially frustrating in very high ELO fps lobbies like I'm used to playing (cs faceit10/valorant imt3)radiant.) these dudes without something more invasive can just run free. Unless they have something that can detect if something is reading the memory that shouldn't be.
Carnal anticheat would be even better 🙃
does uninstalling vanguard removes it completely or it can somehow still take screenshots and have access to computer files?
With vanguard the only way to be sure that it is gone is to format and do a clean install of your OS. I'd go as far as to do so for all of your drives (if you have multiple) even if the other ones didn't have it installed, since it could have left traces of itself everywhere.
That's something that Thor didn't mention, kernel level access isn't just access to all of your memory, it's full access to all of your hardware, with full permission to do whatever it wants.
Vanguard currently only takes screenshots of the fullscreen window of your client and/or your game (a match for example), a common process for most anticheats, it even have checks in it's codebase to make sure it's printing the actual game window. I don't like how Vanguard works, but uninstalling it the traditional way and removing any temporary files and folders are enough.
Another reason why I love linux. EAC and battle eye instances run as userland processes, they arent kernel level over here.
been sober from league since they made vanguard a requirement, thank you riot.
This is why I am unwilling to support games with these programs in them. "Least necessary privilege" (or whatever other jumble of words you'd like to call it) has kept me and my organizations fairly secure for decades--I see no reason to change that now.
So how do I properly uninstall it?
you dont. i promise the anti-cheat has more benfits than drawbacks
Wipe your hard drive and reinstall your operating system. If you trust the author of a kernel level program, then you might be able to use their uninstaller but... if you're removing it because you don't trust them I wouldn't trust that they're removing everything.
@@averageguy3902 lol
@@futuza wouldn’t they have to break the law to leave stuff on your system after you have revoked consent?
Assuming that they’re aware it would be illegal, they’d have to have a very funny love of risk to justify doing that. I mean the government could close down their business for that if they got caught
@@futuza well you would see that reflected in the processes and services, no?
So how do we “unaccept” kernel level anti cheats? Can you give an example of what anti cheats use it as well, so I know what games I need to potentially stay away from?
Thor should have drawn more boxes.
So how soon will the cheaters switch to running the game in a hardware VM and putting the cheat code in the hypervisor? Or heck, feed the monitor output to a video in device on another machine, ML the data the bot needs from the video stream and feed back the commands to the USB ports on the first machine? Heck, I'd bet someone already makes a "hardware video embeder" chip (or FPGA module) for doing real-time processing of camera feeds so that might not even take a very powerful second machine.
Risks are troublesome, but hey, unless I'm losing money in bank account from giving kernel access level for a game, it really doesn't bother me.
Very little knowledge of this but:
What stops you from filling the allocated memory of the game with 1's. And the moment you notice any of them change without the program's doing, insta ban?
If you fill all the allocated memory with 1's you will crash the program.
@@JohnBlackCyberSec why is that?
@@alexisJonius They only design the program to be able to handle up to 80% 1's because no normal use case would go above it. Once it's all 1's it would be too heavy and the bottom would break and the program would spill out onto your computer
@@alexisJonius Because a program is literally a list of instructions and if you change all the instructions to be nonsense then you can expect undefined behavior which is almost 100% certain to cause a crash.
@@alexisJonius What you're suggesting is one of two things: (1) fill all available system memory with 1's, which will crash the system the moment something tries to use memory that isn't available and it can't free it fast enough. You'd be destroying system wide performance and stability, and the only way to avoid that would be to (2) pre-allocate memory for the game to run in, fill that memory with nonsense, and then dynamically free and reallocate memory as needed for game resources. Not only does that essentially guarantee all sorts of bugs, but it actually creates a new attack vector since an attacker could target the free/reallocate feature in such a way as to be indistinguishable from intended behavior. Even though games already run these kinds of dynamic free/reallocate features, they don't run inside of a pre-allocated memory space which is being filled with nonsense. It actually makes it easier to distinguish intended from unintended behavior that way. Your idea would increase the likelihood of bugs AND attack vectors at the same time without improving performance, stability, or security. In other words, there's a reason no one has done this.
Of you crash in certain games they will screenshot your desktop if your cheating all your software will be in that screenshot
If you use kernel level anticheat I cannot buy your game because it won't work. The underlying accesability fixes I require on the OS to run the game at all are completely incompatible with kernel level anticheat.
If you are someone who is reliant on accessibility accommodations to be able to use a computer you are probably not someone who is playing fast-paced competitive games such as the one being referenced in this video
@@toooes I have seen people with accessibility play valorant. They deserve to play games too.
@@kakorotskywalker specifically talking to the person who “won’t buy this game” because they didn’t watch the video and don’t know wtf they are replying to
going to jail just because I had no clothes on is kinda harsh but I understand the sentiments
If you ever get bored someday call of duty needs your advice😂😂
riot did me a favor with vanguard, its helped my mental health by making me uninstall league, good riddance lol
Let's goooo
every phone i get ends up getting attacked at the kernal level. super dissapointed in technology these days. Thanks goverment.
?
Free to play , just give me full access to your data
Reasons why I uninstalled GTA Online
Here to find the comment that says "i have nothing to hide, let them all in *derp*".
it is 2024, any viable cheat does not inject memory into your game
yes that is pointed out at 1:32. So, I think that is what Vanguard is trying to catch when process injection is being circumvented by duplicating the memory- it’s surveiling the machine for either anything looking like a copy of Valorant memory or(perhaps) the instructions of any process copying memory allocated to another process as flags for cheating behavior
@@toooes and that is why kernel level anticheat is something that is ultimately something that will be necessary this late into the cat and mice game
@@dkirby1906 that “evil necessity” is what the rest of the video argues against :| did you watch it…
@@toooes he argues that kernel level anticheat is like allowing cops in your house without warrent which is a truth to an extent, but here is the REAL problem.
Cheaters that abuse DMA, hardware, and kernel cheats are uncommon in low elo
Cheaters will be all bunched up into high elo
The % of cheaters in games is so much more higher in high elo
Streamers and top players start complaining and recommends normal players to stop playing. Even complaints will cause normal players to be suspicious of good players (this is the state of cs2 matchmaking)
your game dies and no one wants to play it
you make no money, because your whole dependence on money is abusing playtime to sell skins.
So his argument is true to the extent that your letting the cops in, but in the other sense the game wouldn't exist if it didn't make money. FPS game market is a WHOLE different market than MMO bot farming.
@@toooes Counter strike circumvents this by offloading the top players and pro players to faceit
so whats your solution then?
This is why I quit League. Not worth the price and to be honest I had too much salt anyway.
LOL 8 years of wow botting. Never once saw a ban. Amazing job.
Just don't share it around and try to make money from it. You can go undetected for 8 more. And stfu about it. ;>
The first rule of getting away with something is... No you didn't.
Legally?
You got one of those radio voices , haha you could get a job in sports broadcasting easy
Luckily on Linux there are no Kernel level anti-cheats ^^
Well, you answered the whole question with yes, but only part of it is yes. The anti cheat is not allowed to upload the data to their server, at least in europe because of our data protection laws(dont know about US laws tbh). So yes, it can see the whole ram, but it is not allowed to upload the data to any server etc.. So the question is first part yes, rest is no and the rest is the most concerning part cause here, the data can be seen by the AC locally on your pc, but also only processed there. No data not pertaining the game can be sent to a riot server and many people tried to prove that riot does this but couldnt find any. No network packages etc.
I think its dangerous to take such a compound question, just take the first part and answer it with yes disregarding the rest cause that creates the assumption that all of the question was correct. I dont think you did it intentionally, but its still misleading.
There are still many concerns with kernel level anti cheat even with that in mind. So much so that your point is unfortunately moot.
For starters, at the end of the day if the code isn't open source, you cannot trust it. The government and the game company can promise that none the data isn't being sent to the server all they want, but that doesn't change the fact that they can still do it and potentially get away with it. Google getting caught (and sued I believe) for still tracking your incognito searches to use for ads comes to mind.
Secondly, Kernel level anticheat still has the issue of security. It is bad practice to expose the Kernel of an os to any program willy nilly as kernels were invented mainly for security- ie preventing random (and untrusted) programs from having free reign on the computer. Recently, a ransomware virus has been getting around thanks to it's ability to latch onto Genshin Impact's Kernel Level Anticheat and use it to bypass windows defender.
Laws only affect those willing to play nice or those without the ability to pay for good lawyers.
You did mention that people tried to prove that Riot doesn't send data to their servers in EU, but that way alone isn't exhaustive for *any* strategy that they could use to obfuscate that data collection nor does it prove that they won't start doing it later on.
While I agree that making such an act illegal is a step in the right direction, at the end of the day, the better thing to do is to find an alternative to KLAC entirely.
I just wish that despite all of the warnings against it, the complete lack of abuse of such platforms is weird. People like to draw threads like Vanguard is owned by Riot and Riot is owned by Tencent and Tencent is a "supposed" CCP entity. Yet not a single soul was able to prove any of it is going anywhere in this techy and information age. That being said if regular anti-cheat was reliable I wouldnt bat an eye. But it works. If anything, non-kernel level anti cheats have lost a lot of faith. Valorant is a haven compared to CS because of the complete lack of cheaters in my experience.
I just cant imagine a scenario where my data getting stolen by some big corpo or country will ever change my life unless im fucking with things that need protection. If Vanguard was stealing everyones data, what for? To all at once take over the world via video game anti-cheat. Obviously we leave the door open but until any cybersecurity specialist comes forth and says what theyre doing, whats the point. No point listening to people rambling about how China is a vampire that owns Tencent and wants to harvest our data to build a mega rocket to nuke the moon.
Underrated comment.
If you cannot imagine a scenario where this might needlessly impact you negatively, it flaunts your ignorance on the subject rather than debunking the concerns about kernel-level anti-cheat. You ought to heed to advice of the security experts instead.
@@jaghatarkebab2020
Can you share such a scenario that's borderline realistic?
It's less about any personal impact on your privacy, and more about keeping a check on how much these corporations gain power overtime by not having this privacy-breaking behavior be normalized. It's analogous to voting on a political candidate. Your vote itself won't have any sizeable impact, but raising awareness is important on the bigger scales.
2:14
...except that isn't true in an awful lot of places now...
They demand entry, you say no, they call for backup, cause a massive scene, gain entry other than the front door, ransack your house, find no evidence of a crime, leave, and suddenly your phone, laptop, and various other personal belongings are gone, and since you had no way of recording them doing it, there is no evidence the police took anything.
His analogy is still accurate though, rogue programs can write to memory that they're not supposed to. It's just illegal, just like cops.
Gaming aint that serious, human anti-cheat better than any anti-cheat. Prove me wrong.
Tell that to players who are playing at the highest level, for money. It might not matter to us normies, but having a reliable way to detect cheaters is definitely a necessity
It is not a relyable way to detect cheaters.
And in settings where there is money at stake the compuiters in use are heavily monitored, so the whole issue of not having control over clientside data becomes irrelevant.
You need both. You need machine learning based algorithmic anti-cheat to flag things in real time, with edge cases and appeals then being handled by people. It's not cost effective to have swarms of people watching live gameplay, unfortunately, companies go the opposite direction and gut their entire anti cheat teams after setting up an alpha state anti cheat tech stack, make sure it has kernal level access to they can accumulate more granular data than they need, and flip that data on the back end to advertisers for an additional stream of income, on top of the cut wages.
@breeban3388 actually the opposite, paid matched done on private servers not in public lobbies, so they are not affected. And if someone decided to cheat they can easily be caught because they being monitored very closely by organizers (apex situation is a shitshow and outlier).
Rampant cheating in public lobbies on the other hands kill games. Because no matter how good top 100 players are, if there no people playing the game it's dead.
Not true at all. this kind of anticheat automatically can ban code/input injection, leaving only the most clever methods i.e. reading memory through a hypervisor and mocking the thread input message queue or computer vision/color vision bots.
But like, isn't the cheats also having access to your kernel? It's kinda untrustworthy from riot but i would rather trust them with this than someone literally making illegal cheats to have this kinda of access to my stuff
The people cheating don't have access to your computer
the amount of bs is crazy league is a competitive game where most of the scripter where in master+ (crazy right?) wow has had botters, cheaters and duppers in a way bigger amount and blizzard did nothing about one company cares the other one doesnt
ye fr its crazy how much people cry about rampant cheaters in cs2 and other usermode anticheat games then bitch when big scary kernel driver is present
My sides 🤣🤣 *kernal*
I see it being mistyped like this so often, it leads me to believe many think that's what the actual word is.
If Kernel Level access isnt ok, what else can anti cheat developers do to combat the constant cheaters rising?
I don’t like it but I don’t like cheaters more so I don’t even know what to think
Well, are you willing to sell your soul and shake the devil's hand, just to reduce the chance of cheaters? It's not even 100% efficient btw, cheaters can get around that. It just increases the barrier of entry, and once it is breached (which they frequently do), they distribute new programs (or whatever) to cheat.
The alternative is a simple cheating-reporting system and server-side detection of cheating. This is what I am going to do as well for my game. The server will check every ~10th data package incoming (otherwise it would be too much) (for example the player's position) and when it detects something weird (too much distance in too short of time), it will increase the suspicion level of that player and check more frequently (or all packages). After all it could have been some mistake, but to be sure it needs to detect that behavior multiple times. Someone who cheats once will cheat multiple times.
And it doesn't require any invasive client-side programs, and I don't need to play arms race with cheaters on a highly complex kernel level. All it takes are some smart algorithms.
My solution is play the game where you don't need to fight with cheaters.
The trick is to find developers that make games that make everything server side and do not trust the client for anything. For example, your Bank likely doesn't trust their banking client app not to do naughty things with money.
@@futuzadoesn't change the problem at all
@@futuza yeah its so easy to find a GTA alternative that plays exactly like GTA does and has exactly the same story and characters GTA does... oh wait.
*I really don't mind it because I play a game with a massive cheating problem that kind of ruins the whole thing and by one conservative estimate there is a heater in 50% of the lobbies.* So Thor's proposition of the police constantly looking at your kitchen is a lot more reasonable when half the time you go in your kitchen there's a random naked person standing in it
Yes, because playing a video game is so important that EVERYONE playing it should have no privacy by default. Weird flex bro
annnnnd vanguard is in the hands of the ccp, no thanks! as soon as LoL started using it, i quit.
kernel*
Thanks my dyslexia didn't see it
tough watch
why? Did you not like his explanation or do you like Kernel level anticheat? /gen
@@hd-bild1513 explanation is garbage and 0 logical thought. he argues that usermode is safer because its "against the law" to access user files, and that kernel mode access allows anticheats to just randomly upload files to their servers for analysis legally. dumbest thing ive heard in a while, this is NOT how vanguard works nor ANY km anticheat outside of China (ive heard ACE can just randomly upload files to their servers for analysis). idc about kernel mode anticheat, and i dont think its the perfect, ideal solution, but this is just fear mongering for no reason
@@iris.87 @iris.87 its not super illogical to not not trust a list of corporations to not peek at your data, especially when you explicitly allow them to (aka its not illegal to take a screenshot of your PC if you explicitly install a kernel level program, Right?). I mean look at google. Also the uploading screenshots thing seems like it's real to me. And riot is owned by a Chinese company and, not to hate on China, but they do have a rep for peaking where they shouldn't.
@@iris.87 Look up crowdstrike and be proven wrong by reality.
@@iris.87 riot bot
ring 0 ac is basically an easier way to have an anticheat, since it has a very deep control of your hardware. But assembly written ac can easily be better than kernel ac. Kernel (ring 0) ac is just a lazier way to have a strong anticheat,
How would coding the anticheat in assembly help in anyway?
This is probably the most stupid comment I've ever read.
ngl cod need this type of anti cheat
nothing needs this type of anti cheat
already has it, ricochet is just a terrible anticheat that was recentishly developed
in truth, NOTHING needs Kernel Level Access to your computer other than the Operating System and the Antivirus measure shipped with it (Meaning like Windows Defender, not any pre-built OEM contract programs). Any other program that wants Kernel Level access is something that isn't needed, and is a huge privacy concern especially in our capitalist society that loves to get your information in any way possible and sell it to the highest bidder. A kernel level anticheat may be more efficient at its job in some scenarios due to it's capability to access all memory on the machine, but at least in my opinion, that added efficiency is nowhere near worth the privacy violations that can legally occur since you're willingly giving them kernel level access to do whatever they please on your machine. This also means that if, somehow, that kernel level software, which has been given permissions, gets highjacked by malware, it can now do whatever the hell it wants, and your antivirus will most likely never detect that it's there.
Edit: Fixed a wording oversight when referring to installed antivirus programs, I originally said any installed antivirus, which is definitely not the right call, especially with Pre-Builts being shipped with bloat like Norton or McAfee. Thanks to @iris.87 for pointing that out.
@@raviexthegod quick reminder that usermode antiviruses have literally sold ur data in the past, not really sure why you think antiviruses are safe, or that you need kernel mode access to find & sell said data..
@@iris.87 not saying that you need kernel level access to find data, what I'm, saying is that, similar to Thor's analogy in the video, would you rather the cop have to get a warrant to come in, i.e. find a way to scrape data, or just give the cop verbal consent to rummage around as they please, i.e. kernel level access. And with the antivirus I was referring to Windows Defender, which, while part of the OS and it does ship with it, it's a separate program in and of itself that integrates deeply with the OS. I simply worded it wrong, re-reading my original comment.
another L take from this guy
CCP shill says what?
Give a solution or don’t complain
There never was a problem. They engineered this problem by deliberately doing nothing regarding cheaters, so they could implement their invasive solution. Cheaters were never a big deal in league when they were actually using their server side detection, and any issues in high elo could be solved by hiring a single person to manually review games. But their corporate overlord enemy government wanted access to more data, so we get this mess.
dumbest thing ive heard in a while lmao, do you really live by this asinine rule?
Never trust a client, do all calculations server side. Multiplayer game devs have known this since the '90s, but it's hard to do so they implement these lazy fixes. Also if your game doesn't make that possible, you have a bad game design and you should be making a single player game instead or hiring more competent devs. The only other solution is to make sure that you game on a computer that is only used for the kernel level anti-cheat game and nothing else. But requiring consumers to have two PCs is a terrible idea.
@@futuzathat doesn't change anything, it's already what's happening in 99% of games and I'm saying 99% because of gta online and that's it, wallhacks and aimbots are not affected by this at all
@@bapoTV wallhacks are mostly a client side issue, if clients remove walls the server should not be giving them information about what lies beyond that. With aimbotting it's a fairly minor issue that pretty much only affects the FPS genre and is easily fixed with a robust reporting system and some statistical tracking.
i think this is interesting kernel level access does suck but if it results in better league games and less cheaters its probably a good thing overall
not for me. no more league on linux:(
@@hanz.b_ lmao well I guess it's time to switch to Windows then like every other normal person
@@hanz.b_ Hi, i really suggest trying dual boot, i really like TFT (i don't play much league) and so after vanguard happened i couldn't play for a long time. Then i switched from NixOS to dual booting ubuntu and windows 10! It's really easy if you have the memory for it, around 300-200GB for windows will be more than enough. You can make the partitions yourself, and more importantly you can play most games on ubuntu now with drivers actually being updated and patched to linux kernel 😂.
@@monadoboy9639 you are not a person
it can also lead to massive data breaches if a vulnerability from a kernel level anticheat is ever discovered by malicious actors (who will try to because it'd be a giant prize to black hat hackers) so you better hope that any kernel level anticheat you put on your machine is coded with absolute iron security AND that no novel ways to exploit it are ever discovered.
If kernel level stuff looks at the entirety of your PC, why are there still cheaters? There is no more to offer the anti-cheat software and company. Yet they still fail to ban the cheaters. It makes no sense. What more could they want
because modern cheats are in the kernel too and can hide themselves, it's a cat and mouse game as always, there's also DMA devices now which are basically hardware cheats
@@bapoTV good catch, I wonder how much deeper this will go, competitive games by nature have this problem and I don't think there will be a definitive solution that is not intrusive, maybe the way is just have a spare machine just for gaming and plug a kvm switch to change from work/personal to gaming rig, dunno.