Riot Vanguard is a ring 0 (kernel) custom anti-cheat security software developed by Riot Games. It is designed to uphold the highest levels of competitive integrity for League of Legends, Teamfight Tactics, 2XKO,[2] and Valorant. The application consists of a kernel-mode driver that starts on system boot and passively monitors the system, and a client that actively monitors the system any time Riot Client, League Client, or League of Legends is open. Vanguard is developed with a priority on both game safety and personal computer safety.[3]
History[]
Vanguard was originally developed for Valorant. When Vanguard launched together with Valorant in 2020, Riot Games made the decision to have Vanguard utilize its on-boot positioning to prevent known signed-but-vulnerable drivers from loading in their entirety. This measure aimed to thwart cheaters from loading their own drivers or leveraging cracked services to do so, thereby subverting Vanguard.
However, Riot were not aware of the extraordinarily specific hardware configurations utilizing bespoke's broken kernel drivers to communicate instructions to relatively obscure devices. In one infamous case, this included a driver that was responsible for keyboard lighting. Cheaters unfortunately were able to use this otherwise properly signed driver to load their own malware, allowing them to "look" like a clean Windows installation (with cert verification still enabled), yet still be running kernel-level cheats. Because this driver was only for keyboard lighting and macros, Riot kept the driver deny-listed until the developers released a new one.[4]
In 2023, Riot experienced a significant data breach that resulted in public exposure of the source code for both League of Legends and its anti-tamper software, Packman.[5] This, alongside outdated anti-cheat software and a rise in botting and scripting, prompted them to use Vanguard as a more sophisticated security system.[6] The macOS version of League of Legends would use an alternative method due to the operating system architecture being vastly different from what Vanguard supports.[7]
The rollout plan for Vanguard was scheduled to commence in patch V14.5, initially intended for a global launch. However, instead of launching worldwide, Vanguard debuted with an initial launch in the Philippines (PH) server in V14.8 for integrity checks and potential bug tracking.[8] In the patch notes for V14.5, Riot mentioned launching Vanguard in the Philippines server. However, Riot Sakaar clarified that the given date was a mistake and efforts were made to remove the misleading date from all regions.[9]
The global release occurred in patch V14.9.[8][10] In the week following Vanguard's launch, less than 0.03% of active players had reported issues, predominantly related to common errors resolvable through player support or troubleshooting.
Some niche cases involved users' BIOS settings, which Vanguard does not alter. Users are responsible for configuring BIOS settings as needed. For instance, one player had inadvertently enabled SecureBoot with a highly customized configuration. While Vanguard utilizes SecureBoot for Valorant, it is not employed for League due to potential compatibility issues with older hardware, which was a key factor in the delayed launch.[11]
Controversy[]
Despite its intended purpose of maintaining fair gameplay and deterring cheating, Vanguard's implementation and functionality have raised concerns amongst the player base. The Head of Anti-Cheat, Phillip 'MirageOfPenguins' Koskinas, tried to shed light on some of the concerns the community has had about the incorporation of Vanguard.
In response to the criticism of the lack of transparency, Koskinas stressed that the developers' silence on certain aspects of Vanguard's functionality is not rooted in strategic ambiguity, but rather to safeguard the integrity of their anti-cheat systems. By withholding certain details, Riot aims to impede cheat-makers from exploiting vulnerabilities and creating more sophisticated cheating mechanisms.[12]
Detection Limitations[]
Since Vanguard runs at the kernel level, it is able to detect cheat software that also run at the kernel level as well as any lower level, which are the vast majority. However, certain cheats may run with even higher-level privileges (reserved for very low-level computer operations) which can be granted to potentially evade its detection capabilities.
For example, DMA-based cheats directly access system memory, bypassing traditional detection methods that rely on monitoring external processes. Similarly, scripts created with Auto Hot Key and Pixel bots, which automate gameplay actions, can sometimes mimic human behavior closely enough to evade detection by Vanguard.[13]
Alternatively, fully external or even hardware means of illegally enhancing gameplay (e.g. mouse modifications, cheat-focused automatons) have the potential to completely bypass any software detection. As the arms-race of cheating algorithms improve, this poses the question of whether the existence and nature of a kernel-level anti-cheat driver (such as Vanguard, and many others) is sufficient against the occasional presence of kernel-level cheating software. This problem is universal.[14]
It has been a challenge for Riot Games to deal with the evolving state of cheating methods. One such field that Koskinas acknowledged are DMA-based cheats, which often involve utilizing external hardware devices to inject cheat-related code discreetly into a gaming system. For nearly six years, Nick 'Everdox' Peterson has done extensive research into this technology. Thanks mostly to his expertise, Riot has been able to stay ahead of the worst of them.[12]
Lack of System Safety[]
Riot Games has not provided an official guarantee ensuring the security and integrity of users' systems in the event of a breach of Vanguard's software.
When a program operates at the kernel level, any vulnerability in that program can potentially be exploited to breach into the entire system.[15] Unlike software that operates on a higher ring, kernel-level software does not just crash―it takes the whole system with it, potentially corrupting it before the next boot. This can be caused by a simple mistake by the developer of the driver, which inherently means that introducing unneeded kernel software into your system can increase the chance of instability.[15]
Privacy Concerns[]
A common concern is the perception of Riot's ties to its parent company, Tencent, headquartered in China. Many players worry that due to the fact that Tencent operates within the People's Republic of China, Riot Games is subject to the National Intelligence Law of China. This law states that in the scenario where the Chinese government finds it necessary for its nation's state security, it is able to compel businesses that are registered or are operating in the People's Republic of China to divulge data regardless of which country that data came from and to do so clandestinely.
Koskinas, backed by Riot's corporate communications team, flatly denies this, with two main supporting arguments:[12]
- Minimal Data Collection: Vanguard's driver itself has no connectivity to a server and primarily conducts preventative checks upon booting to ensure Windows is in a trusted state. Once a game is launched, Vanguard merely confirms system integrity for gameplay, without transmitting files back to Riot servers. Koskinas asserts that data collection is kept to a minimum, with stringent retention rates and a focus on shipping queries to clients with binary responses (true or false).
- Strict Firewalls with Tencent: Koskinas clarifies that Tencent does not have access to Vanguard and highlights minimal interaction between the two companies. He also noted that Tencent does not utilize Vanguard in China, mainly because they have different problems to solve. Their attack surface is huge and they still have to support Windows 7, an operating system not supported by Riot Vanguard.
The purpose of Riot Vanguard’s driver component is not to collect more information as the client can already see everything it needs to know from user-mode alone. Instead, Vanguard's primary goal is to confirm the game is currently running in a trusted environment. This reduces the number of detections that have to be created, the amount of data that has to be collected, and most importantly, the ease with which any prospective cheater can access the game.
Vanguard is not really "running all the time” however. The driver loads at boot, but nothing is making calls to it, and there's no network connectivity until you run one of Riot's games. This means nothing will happen between Windows loading and the game starting that would break the operating system.
When you launch League, the Vanguard client contacts the driver to confirm that the enivorment the game is running in can be trusted. If so, you receive a valid anti-cheat session and may connect to the game server. Instructions from the client then start enabling features within the driver to watch for things that might tamper with the signed League process and prevent them. You can always disable the driver whenever you'd like-you'll just need a fresh reboot to "recertify" the integrity of the trust chain before you jump into game.[4]
Reduced Accessibility[]
The current Lutris-based implementation for League does not satisfy the Vanguard driver requirements. Linux does not currently afford sufficient ability to attest boot state or kernel modules, not to mention the differences between distributions. Even allowing emulation is exceptionally dangerous, as many cheats could then just run on the host, manipulating or analyzing the VM in a way that would be invisible to Vanguard within it.
Vanguard's job is to make sure that the environment hasn't been tampered with, which is extremely hard to do on Linux by design. Any backdoors left open, are ones developers will immediately leverage for cheats. Riot Games decided that this risk is not worth the payoff. As a result, League of Legends will completely prevent Linux users from playing League of Legends for the foreseeable future.[4]
In addition, since Vanguard actively oversees the system, it may also block any third-party software that tampers with the game's files indiscriminately, which may potentially include legitimate software. One notable category of legitimate third-party programs that users have raised concern for are custom skin modifications.[16][17]
Although Riot hasn't provided a general statement on the impact of non-cheating software, RuneForge, a platform for League of Legends custom skin creators, confirmed that their CSLol-Manager works with Vanguard through a new DLL patching option. Users can enable this by going into settings and activating the "Experimental DLL Patcher" feature, ensuring continued support for custom skins in League of Legends.[18]
Trivia[]
- The region of China will use Tencent's ACE Anti Cheat instead of Riot Vanguard.
- Third party tools, like Porofessor, Blitz, Facecheck, etc. can maintain functionality when Vanguard is active, provided they use the proper Riot APIs and do not exfiltrate information directly from client memory. [4][19]
- Windows 10 devices don't necessarily require Secure Boot, contrary to what official guides may suggest. However, Secure Boot is still required on Windows 11 devices.
- Microsoft requires TPM 2.0 for all new Windows 11 installations but their enforcement of it was easily bypassable. Riot Games took a stricter approach by enforcing TPM 2.0 on any device that uses Vanguard. As a result, certain Windows 11 users might face difficulties accessing League of Legends, particularly if they had previously modified registry keys to circumvent this requirement. [4]
- As an April Fools' Day joke, the Anti-Cheat team revealed a faux rendition of the "Official Vanguard Anti-Cheat source code" on GitHub.
References
- ↑ Vanguard Restrictions
- ↑ 2XKO on Anti-Cheat and Rollback Netcode
- ↑ Riot Vanguard FAQ
- ↑ 4.0 4.1 4.2 4.3 4.4 Dev: Vanguard x LoL
- ↑ Riot data breach
- ↑ Vanguard announcement
- ↑ Brightmoon on Vanguard for Mac users
- ↑ 8.0 8.1 K3o on Vanguard's release on live servers
- ↑ Sakaar on Philippines launch in V14.5
- ↑ Gameplay, Vanguard & More Dev Update League of Legends
- ↑ K3o on Riot Vanguard's launch in League
- ↑ 12.0 12.1 12.2 Interview with MirageOfPenguins
- ↑ The Cracks in Riot Vanguard's Shield
- ↑ The Anti-Cheat Arms Race
- ↑ 15.0 15.1 The Risks Of Kernel Level Access
- ↑ Content Creator: Drututt on custom skins and Vanguard
- ↑ Content Creator: SkinSpotlights on recording & showcasing tools and Vanguard
- ↑ Runeforge on League of Legends' continued support for custom skins
- ↑ K3o on Legitimate Third Party software