Yup, kernel level “anti-cheat” is a rootkit spyware that “pinky swears” it’s only spying for a good reason.
I’m far from an expert, but Vanguard is a kernel-level program. If a kernel-level program crashed, the whole system crashes. So yes, any kernel-level program could do the same thing CrowdStrike did, intentionally or not.
Kernel-level programs can do whatever the hell they want.
I’m less worried about bugs causing boot loops with these kernel anti cheats and more worried about security holes.
I’m sure they test these things thoroughly though and take security extremely seriously… right?
Preface: I’m not an expert in this yet but I’m pretty interested in learning about systems-level topics so if I’m wrong please correct me!
Yes, the thing about anticheats and anti viruses is that they are only useful when they have access to the underlying resources that a virus or cheat engine might try to modify. In other words, if cheating software is going to use kernel-level access to modify the game, then an anticheat would also need kernel-level access to find that software. It very quickly became an arms race to the lowest level of your computer. It’s the same with anti viruses.
IMO the better strategy would be to do verification on a server level, but that probably wouldn’t be able to catch a lot of cheats like wall hacks or player outlines. At some point you just have to accept that some cheaters are going to get through and you’ll have to rely on a user-reporting system to get cheaters because there will always be a way to get past the anticheats and installing a separate rootkit for each game isn’t exactly a great idea.
One Minecraft server I played on installed a program for blocking x-ray hackers (a type of hack that lets you see valuable ores through walls so you know exactly where to mine).
The anti-xray mod worked by reporting to the user that the blocks behind a wall are a jumble of completely random blocks, preventing X-ray from revealing anything meaningful.
This mod resulted in massive lag, because when you are mining, every time you break a block, the server now needs to report that the blocks behind it are now something different. It basically made the game unplayable.
The server removed the mod and switched to having moderators use a different type of x-ray mod to look at the paths people mine in the ground. Those using x-ray hacks would have very suspicious looking mines, digging directly from one vein to another, resulting in erratic caves. Normal mining results in more regular patterns, like long straight lines or grids, where the strat is to reveal all blocks in an area while breaking as few as possible.
Once moderators started banning people with suspicious mining patterns, hacking basically stopped.
It’s possible to still hack and avoid the mods in this kind of system by making your mines deliberately look like legitimate patterns, but then the hacker is at best only slightly more efficient than a non-hacker would be.
That’s kind of my point with hacks like player highlighting, I feel like a good user-reporting system would get us a lot of the way there. E.g. If someone is using see through wall hacks in an FPS I feel like it would be pretty obvious for other players to tell in a lot of cases. Other times things like erratic movements from aimbots could probably be detected by the server.
Could they not hash the contents of the game’s folders and send that back to the server to confirm it’s not been tampered with?
Games probably do this in some way already with something like a checksum but the problem is you could have some separate program reading from game state/display at runtime to get around this. That’s part of why a lot of cheats are installed at a kernel-level.
deleted by creator
It has comparable access, yes,
but assuming no malicious intentions, it’s extremely unlikely that they achieve something as catastrophic.If they fucked up in a similar fashion, that would cause your PC to bluescreen, too, but since League does not start up during boot, you could still use your PC, just not League.Nope.
Vanguard doesn’t care if LoL or valorant or any other game is running. Vanguard is in your kernel and will be starting regardless.
This is correct, as in windows a driver is the most straightforward method to runlevel0 access. It absolutely could at any time do exactly what crowdstrike did. But also so could Nvidia/amd with GPU drivers, your motherboard manufacturer with chipset and RGB drivers, etc. it’s not quite the smoking gun people make it out to be, as there are a lot of legitimate reasons to have this kind of system access.
The egregious part was that crowdstrike users agreed to allow a vendor to bypass canary channels and deploy straight to their endpoints.
And that’s the problem, like CrowdStrike Vanguard will update itself in the background unlike your GPU driver which you need to go through an update process explicitly, so if the same thing happens where they pushed a bad update, the same outcome of causing failed boots without prompt could happen.
Does Vanguard not seek testing and validation by Microsoft before pushing updates?
I saw the recent video from the Task Manager designer Dave’s Garage on YouTube, lack of thorough official validation seemed to be an important part of the CrowdStrike problem.
Of course it’s not a smoking gun. That’s the wrong metaphor. It’s an extra stick of dynamite that isn’t needed, just waiting to explode at the flip of a coin. That there are other sticks of dynamite doesn’t negate the risk posed by this one.
Huh, seems like you’re right:
Riot Vanguard is an on-boot application. That means if you do choose to disable it and later decide you’d like to play VALORANT, you will have to restart your computer.
https://support-valorant.riotgames.com/hc/en-us/articles/360046160933-What-is-Vanguard
I guess, it’s only user-space drivers which Windows can load at runtime then?
At least, I’m hoping that’s a technical limitation of Windows. Otherwise, this is fucking stupid.Well, it always is fucking stupid, but it would be even more so.
In theory, yes. Vanguard uses ring 0 access; and Failures/crashes on the code that are running on that level will lead to BSOD.
In practice, Riot very likely tests Vanguard on various hardware as parts of their tests before shipping updates on it, as it’s used by all players that play Lol and Valorant; and a fuckup like that would mess the trust they’ve built between the players. Players are trusting them to run ring 0 code on their computer, so they can have a cheatless experience after all.
In practice, CrowdStrike very likely tests Falcon on various hardware as parts of their tests before shipping updates on it, as it’s used by a huge amount of enterprises; and a fuckup like that would mess the trust they’ve built with those enterprises. Enterprises are trusting them to run ring 0 code on their computer, so they can have a malware-less experience after all.
Welp, they’re a good example of what happens if they don’t do proper testing.
