My brother claims that Vanguard for League can do the same to gaming PCs that install it as CrowdStrike did to businesses who installed that, is this true? Does Vanguard have as much access/power?
My brother claims that Vanguard for League can do the same to gaming PCs that install it as CrowdStrike did to businesses who installed that, is this true? Does Vanguard have as much access/power?
You're viewing a single thread.
Preface: I'm not an expert in this yet but I'm pretty interested in learning about systems-level topics so if I'm wrong please correct me!
Yes, the thing about anticheats and anti viruses is that they are only useful when they have access to the underlying resources that a virus or cheat engine might try to modify. In other words, if cheating software is going to use kernel-level access to modify the game, then an anticheat would also need kernel-level access to find that software. It very quickly became an arms race to the lowest level of your computer. It's the same with anti viruses.
IMO the better strategy would be to do verification on a server level, but that probably wouldn't be able to catch a lot of cheats like wall hacks or player outlines. At some point you just have to accept that some cheaters are going to get through and you'll have to rely on a user-reporting system to get cheaters because there will always be a way to get past the anticheats and installing a separate rootkit for each game isn't exactly a great idea.
They do do a lot of verification on the server side. Since unreal introduced their server-side-lagged-approval networking model, all local movement and most shooting can be retracted by the server.
But what a ring 0 level driver is looking for is other software, like aimbots, modified assets (transparent walls, custom shaders etc) etc. To be able to detect all that it needs to be level 0.
What I would trust more is if Microsoft acquired one of these companies and worked across the industry to root cheating out. Giving some random company ring 0 access feels completely off to me.
Couldn't aimbots be picked up as odd movement and be detectable on a server though? Kind of similar to how those "not a robot" checks can tell if a human is clicking on the box just by looking at the movements of the cursor.
In addition, things like textures and game-modifications could be picked up in part by things like checksum verification to make sure the client is unmodified (assuming the files are modified on the disk and not in memory)
I feel like most client-side changes like see-through walls or player highlighting make themselves pretty obvious when aggregated over multiple games. A good user-reporting system could probably catch most of these.
I definitely agree though, allowing multiple random companies to install ring 0 rootkits should not be the norm. Honestly, even a Windows-level anticheat would be problematic because it would only worsen the monopoly Microsoft has on competitive games as a platform. A new solution would need to be cross-platform or else it would only be marginally better than what already exists.
Aimbots dont need to do a lot to provide advantage at the highest level. Moving “perfect aim” from 1x1 pixel to 3x3 pixels, but with 33% probability would provide a huge advantage and be undetectable.
Modified assets cannot be verified unless you lock the system down, like an Xbox. On a PC? No way. You can combat it by sitting in ring 0 (which is what anti cheat software does) but you couldn’t just check some checksums.
In terms of aggregating data and spotting something like see-through walls, there isn’t the statistical method to discern between great intution built over years of playing the same map and having see through assets.
I used to work in AAA game development, across most of low level (graphics, networking, memory, assets etc) so unfortunately I know this problem is nigh on impossible to solve unless you have a locked platform.
One Minecraft server I played on installed a program for blocking x-ray hackers (a type of hack that lets you see valuable ores through walls so you know exactly where to mine).
The anti-xray mod worked by reporting to the user that the blocks behind a wall are a jumble of completely random blocks, preventing X-ray from revealing anything meaningful.
This mod resulted in massive lag, because when you are mining, every time you break a block, the server now needs to report that the blocks behind it are now something different. It basically made the game unplayable.
The server removed the mod and switched to having moderators use a different type of x-ray mod to look at the paths people mine in the ground. Those using x-ray hacks would have very suspicious looking mines, digging directly from one vein to another, resulting in erratic caves. Normal mining results in more regular patterns, like long straight lines or grids, where the strat is to reveal all blocks in an area while breaking as few as possible.
Once moderators started banning people with suspicious mining patterns, hacking basically stopped.
It’s possible to still hack and avoid the mods in this kind of system by making your mines deliberately look like legitimate patterns, but then the hacker is at best only slightly more efficient than a non-hacker would be.
That's kind of my point with hacks like player highlighting, I feel like a good user-reporting system would get us a lot of the way there. E.g. If someone is using see through wall hacks in an FPS I feel like it would be pretty obvious for other players to tell in a lot of cases. Other times things like erratic movements from aimbots could probably be detected by the server.
Could they not hash the contents of the game's folders and send that back to the server to confirm it's not been tampered with?
What stops you from tampering with the game folder, and changing the function that sends the hash, to send a pre-calculated and valid value, instead of calculating it from real files you are running?
So save files exist. Also custom user content. So the hash will change accordingly. Plus some cheats don't require a modification of game files anyway, they use memory analysis to get, say, the location of other player objects, then they manipulate local information to give the player an advantage. This is how aim hacks and wall hacks work.
Cheats are hard to prevent for the sole reason of you don't own the computer they could be running on. You can't trust the user or the machine, and have to design accordingly. This leads many to the "solution" that is kernel level anticheat, it gives total access to the system.
Games probably do this in some way already with something like a checksum but the problem is you could have some separate program reading from game state/display at runtime to get around this. That's part of why a lot of cheats are installed at a kernel-level.
I do agree that this would stop most cases but it doesn't solve modifications to files when they're in memory (which is why a lot of cheating software uses ring-0/kernel-level access to begin with)