Skip to main content

The controversy over Riot's Vanguard anti-cheat software, explained

(Image credit: Riot Games)

Much of the talk about Riot's new shooter, Valorant, has been about the anti-cheat software packaged with it, called Vanguard. The name is appropriate, because Vanguard doesn't just sniff around for cheats when Valorant is running: It starts up with Windows and proactively blocks users from running certain programs whether or not they're playing Valorant at the time.

Vanguard is unusually intrusive for anti-cheat software, though contrary to some of the more imaginative theories you can read online, the reason for that is not a Pinky and the Brain-esque scheme to blow up everyone's PC and take over the world. The software Vanguard blocks uses drivers that, at least allegedly, contain vulnerabilities which could be exploited by cheat makers. For those who don't happen to use any of that software, installing Vanguard won't do much.

For others, though, it will block software they like using, or even software they rely on, such as specific CPU temperature monitoring programs. That's certainly not ideal, and in a few cases it's really bad news. Here's a breakdown of the controversy, and what you need to know about Vanguard before installing it:

What is Vanguard?

Vanguard is Riot's new anti-cheat software, and right now it's being used to help protect Valorant from wallhackers and aimbotters. Once installed, Vanguard will run at Windows startup unless uninstalled.

There are two parts to it:

  1. A kernel-mode driver that runs when your PC boots up
  2. A client that checks to make sure you aren't running any cheats while you're playing Valorant

The kernel-mode driver is the client's bodyguard, basically. It doesn't collect data about your PC or send anything to Riot: It looks at other drivers and blocks them from running if it detects that they have a known vulnerability that could be used to compromise the anti-cheat client. 

If Vanguard's driver isn't started with Windows, Valorant won't trust your PC, and you won't be able to play. That's why you have to reboot after installing Vanguard.

What does it mean that the Vanguard driver is "kernel-mode"?

If we were in a '90s hacker movie, the kernel would be the virtual reality sphere of green code where the final showdown takes place. It's the core of your operating system, where the most basic functions happen, such as allocating system memory to different programs. Software that runs at the kernel level has the greatest level of control over your PC.

The primary argument against letting Riot run a kernel-mode driver on your PC is that if someone found a security vulnerability in it, the consequences could be much worse than if a vulnerability were discovered in regular, user-level software.

(Image credit: Hertzsprung)

Riot's response is that:

  1. It has been careful, and has offered a $100,000 bounty for the discovery of security vulnerabilities in its software.
  2. Cheat makers work at the kernel level, and if Riot can't give its software the same level of privilege as the cheats, it'll be at a disadvantage.
  3. Other anti-cheat software also uses kernel-mode drivers. 

Regarding that last point, it's actually common for anti-cheat software to utilize kernel-mode drivers. EasyAntiCheat does, and it's used by a ton of games, including Apex Legends. BattleEye also does, and it's used by high-profile games such as Rainbow Six Siege and PUBG. Just like Vanguard, these anti-cheat programs block other kernel drivers that contain security vulnerabilities. 

The reason this is a controversy now is probably that, A) Valorant is a high-profile new game and Riot intentionally drew a lot of attention to its anti-cheat efforts, B) Vanguard starts with Windows instead of with the game, and C) Vanguard doesn't seem to be as lenient as other anti-cheat software, possibly blocking a wider array of programs.

What does Vanguard block?

Vanguard blocks certain drivers, and multiple programs can use the same drivers, so there's no complete list of software that Vanguard doesn't play nice with. What's most likely to be blocked is software that has to do with your hardware: temperature monitors, fan controllers, overclocking tools, and so on.

For example, Vanguard won't let me run a program called Core Temp, which reads and displays the temperature of each CPU core. The implication is that Core Temp uses a driver which has a known security flaw. However, the creator of Core Temp isn't aware of any vulnerabilities. So what's the deal? 

Riot will only speak in generalities. "Vanguard blocks drivers with known security vulnerabilities (usually privilege escalation via arbitrary memory writes) that allow cheat developers to load their cheats into the kernel without approval from Microsoft," wrote Valorant anti-cheat lead Paul Chamberlain in a recent Reddit post.

Popular system monitoring tool CPU-Z. (Image credit: CPU-Z)

At least for some temp monitoring software, a bit of digging does show that Riot's telling the truth: There's a bad driver in the mix. For example, I've found a few reports of a CPU-Z driver vulnerability, most recently from this February, when it was called out at the end of an Ars Technica report

There could theoretically be some false positives mixed in, but some of the drivers blocked by Vanguard definitely do include vulnerabilities. Still, does that mean that Vanguard should automatically block all software that uses those drivers? Possibly not, given that some users rely on that software more than others.

Can Vanguard really overheat PCs?

Not exactly. There is no feature or bug in Vanguard which raises CPU or GPU temperatures. Where players are reporting overheating problems, such as in this Reddit post, it's because Vanguard automatically blocked software they were using to control their cooling setup or processor speeds. 

In all likelihood, you don't have to worry about this, because most people do not have PCs which will dramatically overheat unless they are running temperature monitoring/fan control software or underclocking their GPU. If you do have a tenuous cooling situation and rely on Windows software to keep your PC from melting, check and make sure that Vanguard hasn't blocked that software the first time you reboot after installing it.

Shouldn't Vanguard tell you if it blocked something important like a temperature monitoring program?

It definitely should, but its notifications don't work well right now. Vanguard is clearly meant to deliver a Windows notification when it blocks software from running, but I don't always get one, and when I do and I click on it, it doesn't tell me what software was blocked—it just disappears. 

“We’re working on ways to make the experience better,” says Chamberlain. “Our current notification pop-ups aren't as good as they could be and we’re looking for ways to give you more control over how Vanguard works.”

What about stopping mice and keyboards from working?

This has also been reported. One player traced the issue with keyboards and mice to a driver called Interception, and posted a fix on Reddit (try at your own risk!). 

According to a representative from FaceIt, another anti-cheat solution which blocks the same driver, Interception "is used by cheats to generate fake input, which is also the reason other [anti-cheat programs] block it." Again, Riot appears to have a valid reason for blocking this driver—but that doesn't really make people feel better about their keyboards not working suddenly.

Has Vanguard been effective at stopping cheaters?

It's hard to say right now. Cheaters have made it into the Valorant closed beta, but the banning system was incomplete when the beta started, and sometimes Riot waits to ban cheaters in waves rather than showing its hand to cheat makers right away. Vanguard is also just one part of Riot's planned anti-cheat arsenal. 

"It's fundamentally a defense in depth approach," wrote Chamberlain in a recent blog post. The full breadth of Riot's plan includes:

  • Designing Valorant to be naturally cheat-resistant
  • Using Vanguard to make cheats hard to develop (and thus expensive)
  • Catching cheaters through player reporting
  • Catching cheaters with replays and machine learning (not built yet)
  • Using hardware bans to keep cheaters from rejoining with new accounts

We'll know better how well Riot's anti-cheat suite is working when Valorant leaves closed beta. It's unlikely that cheating will be eradicated from any competitive game, but if Riot can make encountering cheaters in Valorant a truly rare and surprising occurrence, it'll have done better than a lot of its competitors.

(Image credit: Riot Games)

How do Valorant players feel about Vanguard?

When I filter out the extremes, the general sentiment I'm seeing is: 'It's good that Riot is taking anti-cheat seriously, but Vanguard is too intrusive.'

Vanguard is acting like a PC security suite, and it's blocking software that people rely on—software that isn't considered a security risk by actual antivirus software. That is of course going to irritate PC gamers, who are particularly sensitive to any loss of control over their machines. I don't like it when anything stops me from doing what I want to do with my PC, such as running Core Temp, potential driver vulnerability or not.

I've taken to uninstalling Vanguard between Valorant sessions.

One recommendation I've seen a few times is that Vanguard should let players run software it has concerns about, but prevent them from playing Valorant unless they reboot and make sure those programs don't run. That would be less invasive, though also more complicated and confusing for users and possibly less secure.

So far, Riot has shown that it's listening to the complaints—Chamberlain often responds to questions in the Valorant subreddit—but hasn't shown any interest in changing the workings of its anti-cheat software. Riot's perspective has been that if Vanguard blocks a program, the creator of that program ought to update its drivers to secure ones. 

For now, it's something players will have to put up with if they want to play Valorant, though Riot did at least make it easier to disable or uninstall Vanguard by adding a system tray icon. I've taken to uninstalling Vanguard between Valorant sessions. It means that I have to reinstall it (it's tiny, so that's fine) and reboot my PC before playing Valorant, but that's not a very big deal given how quickly PCs can boot these days. I'd say it takes me about as much time to reinstall Vanguard, reboot, and launch Valorant as it does to launch Rainbow Six Siege and get to the menu. That may say more about Siege, though.

Tyler has spent over 1,000 hours playing Rocket League, and slightly fewer nitpicking the PC Gamer style guide. His primary news beat is game stores: Steam, Epic, and whatever launcher squeezes into our taskbars next.