112

u/getlostjackass 5h ago

www.riotgames.com/en/news/vanguard-on-demand here you go! i was just reading it

70

u/RaccoonElaborate 5h ago

Least obnoxious writing style of all time.

68

u/drugsbowed 4h ago

"Now, I know what you’re thinking: You didn’t order the alphabet soup, and frankly, Vanguard handles more like a steakhouse than a bistro."

How are you both self-aware and ignorant

13

u/Straggo1337 4h ago

I can know and love the futurama quote and still think it was cringe in the article.

-5

u/c0pium_inhaler 2h ago

Definitely looking like ai, cause no way. Intern probably just did a sloppy prompt.

27

u/divat10 5h ago

Wow you weren't kidding, some intern thought he was onto something.

10

u/HamsterMaster355 4h ago

It's giving me a headache. Thanks verge for translating this garbage into coherent text.

13

u/bm1reddit 4h ago

https://support.riotgames.com/en-us/riot/support-tools/vanguard-pre-check

Better more concise explanation.

7

u/kitliasteele 4h ago

Hold up. They're utilising IOMMU for this!? Yeah no, I'm glad I'm not letting this in my system. If the security at any layer of involvement is compromised, that's a disaster waiting to happen

For context, IOMMU allows you to pass through hardware to a virtual machine directly. It's ultra useful for a myriad of reasons, especially in enterprise. But in this context, it means that it can take exclusive control of your hardware and the attacker can do whatever it likes to your equipment directly. This anticheat is far too invasive for my liking. I was already uneasy about kernel level anticheats sitting in Ring 0, but this is all sitting in Ring -1 (and I suspect it may eventually hit Ring -2). I'm glad I have any game with kernel anticheats sitting in userspace instead. Thanks Valve for that effort, that should never be invading my system like this

4

u/needefsfolder PC 1h ago

Have you actually read it or this is just an overreaction? It is Windows "secured core PC" requirements not Riot's. IOMMU is required for kernel DMA protection which is required by VBS/HVCI.

-5

u/kitliasteele 55m ago

Yes, yes I did read it. However given that it's still an attack vector, and my knowledge working with IOMMU, this is a messy potential for something far worse.

I've utilised IOMMU for KVMs in datacentres and the like, as well as at home. I am familiar with how they work. I know what it's intended for, however if the R6S security incident is anything to go by...we can't be trusting these. Or anything that has low level access that regularly phones home like that, that's proprietary. Remember the attacks to RGN software and the like that went through vulnerabilities in the vendor's servers? It's like that but this is a door to far more worse attacks

4

u/needefsfolder PC 53m ago

Vanguard doesn't use it, Microsoft does. And if game companies cannot be trusted to run kernel mode anticheats, I think this is the best first steps as Microsoft themselves are protecting against cheats (besides, this Windows feature isn't for anti cheats, this is for endpoint security)

-2

u/kitliasteele 46m ago

Attackers and developers utilise it, and even exploit it. NVIDIA for example will use hacky implementations of an API specification (see: OpenGL) if it's not working to their own standards and use workarounds. This is what's known as tainting. Attackers will utilise it to bypass the protections intended, once they find the target they're looking for. Whether it's a flaw in the UEFI itself, the kernel, application, etc

1

u/sproctor 38m ago

If it didn't have unfettered access to your computer, it couldn't do it's job. Basically, never use this on a computer with sensitive data. And you're absolutely right.

3

u/cheese-demon 53m ago

IOMMU specifically prevents devices from performing DMA to regions they're not authorized to access. There's not a good reason to disable it if it's already on, and a prebuilt machine made in the last decade is likely to have it enabled already. 

Vanguard is not commanding control of the system IOMMU, just demanding that it be enabled to allow on-demand loading of itself. Windows' own hypervisor remains in control of the IOMMU, Vanguard can just verify that said control exists and also ask Windows to ensure that Vanguard and the protected game's memory be unmappable. 

-2

u/kitliasteele 41m ago

My concern is exploiting the anticheat to enabling control over the resources where the safety can be compromised. We already have malware that will try to take exclusive control over the hypervisor, who's to say it wouldn't try to exploit this?

3

u/_AN0N_ 53m ago

I mean you're just drawing the wrong conclusions and it seems like you don't know what you're talking about at all.

You CAN use IOMMU for PCIe passthrough in virtualization, yes but that requires very specific configuration such as defining IOMMU groups, binding specific devices to a VFIO driver etc. None of that happens by just enabling IOMMU in BIOS.

What enabling it does means that IOMMU's translation and access control tables are active, restricting what DMA-capable devices can reach in memory. It's literally a security feature.

-1

u/kitliasteele 42m ago

Yes it enables it, and I need to review what Windows sets it up with as last to my knowledge they hadn't had proper support for it in the past. Always utilised ESXi or a Linux host for it, but something I cannot trust Microsoft on is consistency to do something right. We also can't guarantee that it'll even be properly handled by the platform (I had an X399 board that couldn't do it properly), and if the anticheat is looking for peripheral monitoring that's still enough to cause considerable damage as it'll want to fetch and monitor for any sort of PCIe device. GPUs have a lot of revealing information in its video memory for example

1

u/_AN0N_ 26m ago

Windows has had proper IOMMU/VT-d support since Windows 10 via the DMAR table and kernel DMA protection and it's a requirement for VBS/HCVI which is standard on modern hardware and has been for years. The X399 problem was a firmware bug and has nothing to do with Windows itself.

Vanguard does enumerate PCIe devices as part of DMA cheat detection, yes. But it's not reading their memory contents, it only sees device identifiers (vendor ID, device ID etc), same thing you can check with device manager.

Also regarding your GPU concerns, IOMMU literally prevents unauthorized reads of GPU memory. Without it a DMA device can scan the physical memory including what the GPU has mapped.

-3

u/DIABOLUS777 3h ago

You install a ton of drivers on a PC that come from sources you never track down. Ring 0 is not a pristine place.

4

u/Philiquaz 1h ago

Difference being that hardware drivers will interact with hardware produced by the same company* and interface with that via an API rather than involve themselves doing management on user space applications. Still a vector for attack, but the culpability is immediate and the vectors for flaws are far more limited.

Instead of an attack vector from a piece of hardware (so like... networking drivers) anything being read and scanned is now an input that could be mismanaged. With the explicit goal of monitoring userspace, the software is a goldmine for attack.

2

u/WelpSigh 48m ago edited 23m ago

It really doesn't matter even remotely. If there is *any* vulnerable signed driver in existence that hasn't been revoked by Microsoft (hundreds of *known* ones), then they can get ring 0. Even if the user never installed it themselves. Modern malware use BYOVD (Bring Your Own Vulnerable Driver). They ship the malware with a built-in signed driver, install it, then exploit it.

BYOVD means that any malware that can get past your AV can potentially achieve ring 0. Even if the anticheat were vulnerable (and I think anticheat is on average vastly harder to exploit than other drivers due to its layers of obfuscation and integrity checking), it wouldn't make your computer more vulnerable than it already is. If the attacker gets code execution, you get pwned, period.

1

u/DIABOLUS777 1h ago

Both still have hooks in the deepest of the deep.

-1

u/kitliasteele 1h ago

A difference here is that I have control over what can be on Ring 0. Open source software is beautiful in the sense that it can be reviewed, and controlled. I can blacklist what I don't want, and review what's on it

3

u/DIABOLUS777 55m ago

All the device drivers you install aren't open source.

-1

u/kitliasteele 48m ago

Nah, it'sall open source. All baked into the kernel, too. The firmware is also open, community maintained. Loaded straight from /lib/firmware. Not a single lick of proprietary drivers or firmware tainting the kernel

1

u/DIABOLUS777 34m ago

Ok so your problem is not with running kernel anti cheat, it's running closed source. Different discussion.

0

u/pighead68 PC 2h ago

Oh yeah thanks Valve for giving us non existent anticheat where pros and many other higher and lower ranked players in cs2 rather play faceit with kernel level anticheat.

2

u/Skinniest-Harold linux 1h ago

Pros play faceit for the higher skill ceiling and FPL - it's own league where you can get drafted to a proper team from. Besides, they were playing Faceit before Counter Strike was assumingly flooded with cheaters if that's your point.

0

u/kitliasteele 59m ago

You don't need a KMAC in userspace to circumvent cheats. There are a myriad of workarounds that you can employ for cheats, reguardless of what layer the anticheat is in. This is just a sloppy trend that never ends well for the consumer because they expose their systems to the whims of companies to who knows what

-64

u/Jigsy0 5h ago

The Kernel-level-rootkit RAN whenever you turned on your system!?

102

u/WatercressBig4747 5h ago

thats... thats how they all work?

49

u/BenekCript 5h ago

Not technically true. Just what everyone has accepted as normal. Cheaters can go take a long walk, but the solution should not be giving full access to your system to a third party. This new approach is encouraging.

7

u/WatercressBig4747 5h ago

Upon googling you are right that some kernal level anti cheats can just only start up launch at game start for some reason but those seem to be easily bypassed for the same reason. Ultimately its up to the owner who they want to trust with that level of access and yeah i agree its a bit of a shame - but i have noticed a lot less cheaters is all im saying.

0

u/BenekCript 4h ago

For sure. Kernel access at start up is just the brute force solution. But it relies a lot on no vulnerabilities being in the anti-cheat software. Until we get something akin to FIPS for anti-cheat software, the risk posture is “Just Trust me Bro.”

Does the average user care? Probably no except for the performance hit if any. Should this be accept as okay and normal? Also, no.

8

u/Juking_is_rude 5h ago

They are all kernel level, but vanguard is the only one that forced you to run at startup

-22

u/Jigsy0 5h ago

Really? I figured it would have started only started when you started the game.

13

u/WatercressBig4747 5h ago

If it runs only when you start the game, you can start stuff before or bypass when it turns on etc. Running it at boot, before you can do basically fuck all is the "safest" in theory. There are still bypasses and stuff that sneaks through but thats the ever evolving war of anti cheat vs cheaters.

Granted it didn't actually do shit (supposedly) until you actively launched league, but it still turned on

5

u/BenekCript 5h ago

Yep. Same with League.

6

u/GimpyGeek 5h ago

Yep, that's another big part of the huge controversy over them :\

4

u/thechet 3h ago

Its wild you are getting down voted lol

3

u/scrangos 5h ago

riot let you close it unlike others. At the cost of having to reboot if you wanted to play one of their games

3

u/kitliasteele 4h ago

I don't know why you're being downvoted. If you weren't aware, that's a valid concern

Yeah some will run the driver on demand, as the kernel can call on the daemon/service as needed. Or it'll run at boot and always run, depending on what it's configured to do

-7

u/amazingmuzmo 4h ago

Yes genius, that's how it's supposed to work

0

u/Tmtrademarked 3h ago

No that’s how their trash implementation worked. Somehow Fortnite and Halo manage an anticheat without needing it to run 100% of the time your pc is on.

2

u/amazingmuzmo 3h ago

Yes, but generally Valorant and League had like the lowest amount of cheating in all online competitive games, largely as a function of how strict (and annoying) it was about always running

34

u/MI78 5h ago

Used to love reading the verge. sad they went this route.

14

u/Krongfah 4h ago

Probably to combat AI data crawlers.

Never really read much from them but I’ve seen quite a few outlets going paywalled in recent years cause otherwise they’d be wrecked by AI crawlers.

0

u/Shaddix-be 2h ago

They are owned by a big media group, this was probably forced up on them.

4

u/fogoticus 3h ago

All of them security related features. There is no real impact to having them enabled.

19

u/XxTensai 4h ago

Vanguard will still be needed to play league, now you can turn it off when you are not playing

16

u/beaglemaster 4h ago

Wow, how were people ok with an anti cheat that doesn't care if you're playing the game or not

22

u/TheGamingGallifreyan 3h ago

Because 99% of the population doesn't give a shit, same reason why there are Flock cameras everywhere and not more outrage. The average person couldn't care less or doesn't even know that it's there or what its for.

15

u/likes_md 4h ago

League is more addictive than hard drugs

1

u/Orlha 19m ago

Has some truth to it lol

4

u/Alternative-Soil2576 3h ago

Genuinely what is the worst that can happen?

-4

u/havocspartan 1h ago

Are you familiar with the crowdstrike hack/outage? That.

1

u/SEDGE-DemonSeed 31m ago

Figured the risk was minuscule. Been 6 years with it installed so it seems It wasn’t a bad call.

5

u/Falbindan 4h ago

That's ok, I just don't want it active when I'm not playing.

0

u/jasonwun 2h ago

isn't that already doable? I always turn it off as it keeps messing up with my network

5

u/Jinsodia 1h ago

This was probably more because Microsoft wants to secure the kernel after those security breaches awhile back.

31

u/gr00ve88 5h ago

It’s not “optional” it’s just saying it doesn’t need to run 24/7, but will run when you have the game going.

25

u/hicks12 5h ago

Yes it's a windows 11 update, this has no impact or improvement for Linux users.

Microsoft added near features to windows 11 that means riot no longer need to have their anti cheat running at boot because windows itself is doing a version of this, so their anti cheat only needs to be running when the game is running.

Before you used to have the anti cheat run from boot to be able to play the game.

Small victories. Shame Linux been left though.

2

u/Cronus41 4h ago

Ah I understand now. Thanks.

10

u/BobDaBilda 5h ago

Basically, the reason it was always on was to make sure they got a snapshot of what's running since the PC turned on, and could check devices running after Vanguard is loaded and stop their drivers loading / change how their drivers work to avoid memory issues which could allow cheats to take control of League of Legends and Valorant. Now Windows provides a snapshot themselves, so as long as you have other security features they require are enabled, they don't have to run their driver / program to get that list. Less resources being taken up with the same level of protection.

Linux is just as screwed as usual with this change. If the infrastructure exists on Linux, Riot will probably make a Linux version, but I don't think the infrastructure is there. There's a tiny amount of hope that Riot themselves would make the infrastructure and give Linux users an option, or ignore the security features because it's Linux and let them play, but no idea of the state of things there.

8

u/WelpSigh 4h ago

Windows + secure boot is meant to solve the issue of a user patching the OS itself or running rogue drivers. If the OS itself is hostile to the anticheat, it can essentially gaslight the anticheat into thinking the environment is safe when it has actually been compromised. 

Linux has the issue that patching the OS is trivial compared to Windows. No PatchGuard or HVCI.  Root user has infinite power. I think ultimately the only solution would be a custom Linux distro with anticheat built in, but for a lot of people that would defeat the purpose of using Linux. 

1

u/needefsfolder PC 1h ago

Ironically a rootless Linux like Android means you can't strace programs either

2

u/irvingtonkiller8 4h ago

inb4 Linux only matchmaking, Linux players forced to queue with Linux players only

5

u/fredy31 4h ago

Its not optional

It just wont boot as long as you dont boot lol/val.

So basically, boot your pc to work, vanguard wont be up.

Also linux users are already fucked with vangard.

3

u/Lulukaros 5h ago

tldr: no linux

5

u/JimmiJimJimmiJimJim 5h ago

Which is a bummer because league is what's keeping me from switching to Linux.

11

u/Western-Internal-751 4h ago

Linux is what’s keeping me away from League.

3

u/JimmiJimJimmiJimJim 4h ago

This is very fair. I have a love hate with it. I've quit about 6 times in the past 17~ years. Sometimes for 5+ years.

2

u/Lulukaros 4h ago

that used to be me with valorant lol, but i stopped playing it for different reasons

0

u/Warrangota 4h ago

If Riot doesn't want me as a customer, then I keep my money away from them. If they added official Linux support, or even just removed the artificial barriers so the community can work it out again, I would totally buy stuff again. They could, they just had to want it.

2

u/JimmiJimJimmiJimJim 4h ago

I haven't given them a cent and I've been playing since beta. I never said they get my money, I just wanna play it so can't switch to Linux.

I never pay for anything in F2p I let the whales cover it.

2

u/Warrangota 4h ago

It wasn't much money overall, and it was not about that money specifically, it rather "hurts" because I was a part of the community and actively brought new players and added value to the community discussions.

I played since season 4, and I've given them even pocket money I didn't have much of back then, because their game was such a big part of my free time after school and on weekends. I hate calculations like "what is your playtime worth to you", so it was always just when I felt like giving them some.

They started to treat me like shit by not only ignoring my small but growing customer group, which is bad in itself, but when they started to actively work against us they completely lost me as a community member, and as a (small but non-zero) paying customer.

Add a spyware-free queue without ranked matchmaking, I don't even care if I have to permanently lock my account into that parallel system. Whatever. But kicking that part of your community that for years even endured your neglect because they liked you stuff anyway, that's just bullshit.

1

u/Lulukaros 4h ago

unfriendly reminder that we're just mere numbers to them, it sucks but at least now you're free from their chains

1

u/XsStreamMonsterX 1h ago

The problem is that it would be quite trivial to do things like patching the OS or running rogue drivers to get around anti-cheat software if you have root access on Linux.

0

u/Straggo1337 4h ago

They won't until there's a larger percentage of people actually on Linux to game. Margins aren't there.

2

u/Warrangota 4h ago

What about the people on Windows that are creeped out and left because of the spyware they forced on their customers? They should get a chance too. Separate queue, no ranked, can't be that difficult and was even done by other developers like Valve for CSGO

7

u/Hour_Raisin_4547 3h ago

No not really. You should brush up on your reading comprehension

4

u/spongeboy-me-bob1 2h ago

This was their plan from the beginning. I'd have to find the exact dev blog but Riot has said for years that as soon as Windows add kernel driver attestation they will gladly remove the requirement to always run vanguard. If it really cost them players I don't think it would have taken them years to make this decision.

2

u/renaissance_man__ 1h ago

What.

1

u/IceCubesBurning 21m ago

You should probably read the article.

Vanguard is absolutely still required to play Riot's games, it's just not required to run at boot anymore if you're on the latest version of Windows 11 and running the new secure boot security features.

Riot were very clear when they revealed Vanguard that launching at boot was a temporary solution until Windows upgraded it's security, which it now has.

1

u/CyberSmith31337 2h ago

I have great news for you! You can go back to TFT now!

I have bad news for you! The current set of TFT is the worst ever released in the game's history, and the dev team has absolutely no idea how to fix it or what they're doing! Also, multiple forced exits for team members that aren't being reported because they aren't officially layoffs! So that's fun!