Vanguard x VALORANT
Hi everyone! I am Jose “the3” Chavez from Riot’s anti-cheat Vanguard team! I’m a data engineer, which means it’s my job to quickly and efficiently provide my team with the data they need to detect and take action on cheaters! Basically, I make data go “brrrrr.” Working with data is fun, but I thought I’d take a break from all that to talk about how Vanguard is doing.
Not gonna lie, I tried to get “mirageofpenguins” to write this article like he did for League, but he just muttered something about having to return some video tapes? In the meantime, I’m here, and I’m gonna go over anti-cheat on VALORANT PC, talk about detecting mice on VALORANT Console, tease our Ranked Rollback plans, and finally, provide some life-changing advice about account security.
4 Years of Protecting Your Matches
Can you believe it’s been 4 years since Vanguard released on VALORANT? It’s been quite a ride, and in that time, we’ve all been through a lot. Fortunately, the anti-cheat is still going strong, and we intend to keep it that way!
So, let’s start with a quick recap of the actions we’ve performed. In the last 4 years, we’ve banned over 3.6 million accounts just for cheating—that’s roughly one ban every 37 seconds! It’s important to note that this number does not include additional actions we’ve taken against botting, boosting, or intentionally queueing with cheaters. In the chart below, you can see a breakdown of those actions since launch, grouped by the system that administered the ban.
Detection: ban issued on an explicitly detected cheat asset
Hardware: delayed suspension for an account identified as a re-offender
Manual: a ban issued by an agent after manual review
We’re taking action on more cheating accounts than ever before. Some of this is because the game has grown in popularity for cheaters and players alike, but at the same time, we also see that recently, our automated detections are carrying a heavier load than our hardware actioning. This has been a deliberate choice as we test and release additional methods of enforcing a safer environment for VALORANT to run in (keep reading).
Historic view of all actions Vanguard has taken on VALORANT. Including manual bans, bans due to automated detections, and hardware bans on reoffenders. Overlaid with a line showing the % of games with a cheater present.
While our total number of bans has been higher over the last few months, our time to detection has held relatively steady. In the below graph, we can see our “time to action” being mostly maintained, which can be aligned with the steady “% of games with cheaters” we see in the chart above. Even though the fight continues to grow in complexity, we’re still keeping up with our commitment of getting cheaters out of our games as quickly as we can. I say “as quickly as we can,” but sometimes, it’s actually better for us to wait a little! Stick around after the graph, because we’ll get into why we don’t always ban every cheater instantly.
Average number of matches a cheater plays before being banned.
We’re pretty proud of these results, but the thing is, these figures are all about how reactive to cheaters we are. While it’s great to find these cheaters and kick them out of our environment as fast as we can, we’d also like to be more proactive, so that we can stop cheaters from causing damage in the first place. Vanguard is already doing a lot to protect our game from exploitation, but how can we do more?
Sometimes we discover some very suspicious activity from certain players. Not necessarily straight up cheating, but treading that line. Or, sometimes we detect cheaters and want to give them a chance to redeem themselves. In these cases, we implement what we call Vanguard Restrictions. We’re basically telling these suspicious individuals to pinky swear to us that they won’t cheat by enabling some built-in Windows security features that make cheating more difficult. This can artificially delay our time to action (if they reoffend), but because it makes cheating more difficult, it doesn’t affect the overall percentage of games with cheaters in them.
So, let’s go over what kind of security features we’re looking for these players to enable and why. Fair warning, things are about to get a lot more technical, so feel free to skip to the next section if you’re not into mumbo jumbo about Windows Security features.
Restrictions Revealed
Initially, Vanguard Restrictions required only that you update your current Windows patch to a more recent version, since older versions are more prone to vulnerabilities that can be used to get code into the kernel. Similarly, we also used Vanguard Restrictions to enforce TPM/Secure Boot, even on Windows 10 machines, to eliminate bootkits as a vector and to give ourselves a better form of hardware ID. Currently, we are doing research into the viability of issuing Vanguard Restrictions to enforce Virtual-Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI), two newer security features which allow Windows to further secure the kernel from malware or exploitation.
We’ve seen a rise in a newer form of cheating using Direct Memory Access (DMA) tools, which plug into the motherboard directly and access the memory of programs without going through the CPU. Basically, you’re manipulating memory using an external tool, so it’s harder for Windows to detect tampering. In an attempt to combat this, we’re looking into Restrictions that will also enforce Input-Output Memory Management Unit (IOMMU), bridging the gap and allowing us to prevent malicious devices from infiltrating the memory of our game. Console platforms (like Playstation and Xbox) use this same IOMMU technology to secure their games’ memory, and we see how effective it is—DMA is virtually nonexistent in that space.
I know this was a lot of dense information at once. Windows has built all these features to help keep your machine safe from malware, and many cheats are effectively a form of malware with a game being the target. Microsoft has been developing these features to secure their operating system, and if they continue down this road, kernel level anti-cheats will no longer be necessary to secure your games. In fact, we can see Windows trying to move all third party applications out of the kernel entirely (as they begin to secure and sandbox everything). We’re sure most of you will never have to worry about these things though, since you’re all good-natured individuals who just wish to sit back and enjoy the game.
But I Lost to a Cheater!
Earlier, I showed our graph about how many matches a cheater played before being banned. Say what you will about that number, one thing is for certain—it’s not 0. You can say I’m coping, but we don’t want that number to be 0. There is a lot of mystery around how exactly we detect cheaters and we want to keep it that way, because it makes cheat developers’ jobs harder. It wouldn’t be fun if we were the only ones scrambling; we need the adversary to scramble just as hard. Many times, we’re able to immediately detect when a cheater has entered the game, but we don’t immediately ban them, because this will present an opportunity for the cheat developers to A/B test our detections. If we banned cheaters immediately, all a cheat developer would have to do is change their cheat, get a new account (reminder to please secure your account), and see if they get banned. Rinse and repeat. They’ll quickly figure out how we detected them, build around that, and sell their cheat as “undetected” for the 34th time. Sure, we’ll end up getting them again eventually, but adding a delay to our bans slows down this development process for cheaters, which keeps our detection methods valid for longer.
While this tactic of delaying bans might be good for our anti-cheat, we recognize that a few players have to suffer at the hands of the cheater before the ban hammer strikes. In the time leading up to the ban, players are losing their hard-earned RR to these cheaters, costing them the potential glory of ranking up. This sucks, so we are teaming up with the VALORANT Competitive and Social Systems team on what we’re calling the “Ranked Rollback” feature. This feature will “undo” the RR lost to playing against a cheater after they’ve been banned, so both accounts get what they deserve: the cheater gets removed from our game, and the player gets their bragging rights back. This is still a work in progress, but we promise, it’s coming.
Vanguard x Console
Let’s pivot away from all that PC word salad and onto something new. Back in June, Riot launched the closed beta for VALORANT Console. While launching its first game on a console was a great milestone for Riot, it was also a brave new world for our anti-cheat team. Having limited prior experience in detecting cheats for consoles, we had our work cut out for us.
The cheating scene for console gaming is different. PCs give their users so much control over what runs, when it runs, and how it runs, leaving that environment open to customization and exploits. Consoles however, are much more locked down by their first party manufacturers (e.g., Sony and Microsoft). It’s much harder to fool a console into performing things it wouldn’t otherwise do. As a result, console cheaters tend to attack in a much different way: manipulating game inputs. When doing our research into the cheating scene on console shooters, we immediately realized the primary attack vector for undermining competitive integrity was mouse and keyboard.
The console variant of most first person shooter games have aim assist built in to help the joystick-based gameplay feel smoother—VALORANT is no different. But, a console first person shooter’s aim assist combined with a computer mouse’s ability to flick across the screen with ease would easily outperform controller-based players. Riot knows this, and so to maintain competitive integrity between players, Riot has decided to not implement cross-play between console and PC players, as well as not allow mouse and keyboard on console gameplay. This is great! Now console players can play against each other and know that they’re playing on an even playing field! Well, if only it were that simple.
Example of an input spoofing device used to plug a mouse and keyboard into a game console.
Unfortunately, there will always be those who try to circumvent the rules. Cheating on console games is not as easy as just plugging in your mouse and keyboard to the USB slots of your console. In order to cheat, cheaters buy input spoofing devices that allow them to masquerade their mouse and keyboard as a genuine controller. These devices fool the console into thinking a controller has been plugged in, giving the cheater the benefit of emulated mouse input AND aim assistance. This is a big problem in the console shooter space, so it was finally our turn to figure out what to do about it…
Leading up to the console launch, we had absolutely no data to work with, and some of us wondered if we should wait until after launch for some to exist. But at Riot we always strive to give the player a great experience from the start! So, it was important that we have it figured out before the public got hands on it.
There was some speculation that Riot simply bought data from different console shooter developers, but the truth is: we became that which we vowed to eradicate. We cheated throughout internal playtests, with varying settings and skill levels, capturing known data as ground truth (sorry to all my colleagues, I cannot actually aim with a controller). Throughout the playtests, our Vanguard software engineers and data engineers worked hand-in-hand to generate, format, and investigate the data needed to detect malicious behavior. After many playtests and many demands for MORE DATA we eventually had what we needed to build out preliminary detections.
Finally, on June 14th, it was game time. We weren’t completely confident that we’d catch everyone, but we hoped we’d at least catch some cheaters before they did too much harm. Within a few hours, we saw it happen, a ban went out! Soon after, more bans started going out. Players were starting to notice our efforts and it felt great! Over that launch weekend we were already seeing cheaters attempt to adapt to our detections, so we continued to iterate our detections to keep up. At that point, we had tons more data to work with and our detections were becoming better with each iteration.
Post from the Anti-Cheat Police Department showing off a real time ban on a player cheating in VALORANT console using an input spoofer and mouse-and-keyboard.
I’m sure you’re thinking: cool story bro, now show us some numbers, data boy. Alright, if you look below, you can see a graph of the number of actions we’ve taken on VALORANT console since the release of closed beta. I say “actions” rather than “bans,” because we have been experimenting with mixing in match terminations (and player notifications) as an alternative to outright bans. Fun fact: we can see spikes in the volume of actions we’ve taken that are associated with the increased availability of the game in new regions, transition into open beta, and full launch of the game.
Actions Vanguard has taken on VALORANT for Console since release of open Beta on June 14th. The total number of cheaters has been temporarily withheld to avoid giving cheaters any bragging rights.
While it’s been fun to reflect on our initial success in the fight against console cheaters, we know this battle is nowhere near over. Cheaters will continue to push the boundaries of our detections, and we must continue to adapt to the newest developments. Console cheating is another frontier that Vanguard and our anti-cheat team will continue to combat in order to provide players with the peace of mind of knowing they’re playing a fair match.
You Wouldn’t Download a Car
According to commercials I would see while growing up, you wouldn’t steal a car, but cheaters certainly have no issues with stealing your account for their malicious activities. It would be great if cheaters threw their hands up and moved on when we banned their accounts, but they don’t. Cheaters are stubborn, and they will try to get back into a game despite being hit with the ban hammer. Going through the hardware randomization, account creation, and tutorial processes are a bit tedious when you’re doing it repeatedly, but you know what isn’t? Just stealing an account!
Unfortunately, we live in a reality where even the password for your wifi enabled water bottle can be leaked, and that information can be used to infiltrate your email, bank, or worse, your Riot Games account! Nefarious actors use these leaks to infiltrate innocent players’ accounts and perform their nefarious deeds. We know this, because we have seen that 4% of VALORANT cheating bans are eventually reverted due to a compromised account. Also YES, it is a common tactic for cheaters to claim their account was compromised in an attempt to undo their ban. But we know when they’re lying, and we don’t fall for that.
So, what can you do to protect yourself against this? The easiest thing you can do right away is to update your password. I’m sure we can all immediately think of an account with a password we’ve been using since 2011, and the reality is that, while it’s easy to remember that password, it’s just as easy to infiltrate. Updating your password to something newer, stronger, and unique to Riot will significantly decrease the likelihood that a bad actor can use a leaked password against you. The second, and most powerful thing you can do is to enable Two Factor Authentication on your Riot Account. You can do this by signing in to your Riot Games account, going to your Account Management, and enabling Two-Factor Authentication.
Account Management page for a Riot Games account showing Two-Factor Authentication enabled.
I know, I get it, it might get annoying to check your email for an access code when you’re just itching to get a quick Swifftplay or Deathmatch going, but trust me, the account security it provides is immeasurable. The few seconds it adds to your login process will more than make up for the heartbreak and headache that you’ll go through when you’re trying to get your account back. Also, this advice can be applied to ANY online account you have: your email, your bank, your wifi enabled water bottle. Update your passwords, and enable Two-Factor Authentication where available. It’ll put a huge damper on malicious actors’ plans, and you’ll sleep better at night knowing your account (and all the hard work you’ve put into it) is safe and secure.
That’s All Folks
Wow, I wrote a lot more than I thought I would. I hope it was informative though! Going down memory lane is fun and all, but there’s still a lot more work to be done, especially now that Vanguard is fighting multiple fronts with VALORANT on PC, VALORANT on Console, and League of Legends (yes, that’s us too). The fight to keep our games fair is not winding down any time soon, and we need to stay on our toes if we want to keep up. Fortunately, we’ve got a team of very smart and dedicated individuals who are willing to do what it takes to create the best anti-cheat we can with Vanguard (including cheating in our own internal playtests). In the meantime, please remember to update your account’s security and report any players you might suspect of cheating in our games! Also, to our cheaters: come on, cut it out.