The controversy over Riot's Vanguard anti-cheat software, explained
Does Riot's always-on anti-cheat go too far?
Much of the talk about Riot's new shooter, Valorant, has been about the anti-cheat software packaged with it, called Vanguard. The name is appropriate, because Vanguard doesn't just sniff around for cheats when Valorant is running: It starts up with Windows and keeps an eye on other processes whether or not you're playing Valorant at the time.
Vanguard is unusually intrusive for anti-cheat software, though contrary to some of the more imaginative theories you can read online, the reason for that is not a Pinky and the Brain-esque scheme to blow up everyone's PC and take over the world. Vanguard detects software with vulnerabilities which could be exploited by cheat makers, and blocks some of it. For those who don't happen to use any of that software, installing Vanguard won't do much—although it will run all the time unless you disable it, and for some, that alone is uncomfortable.
Here's a breakdown of the controversy, and what you need to know about Vanguard before installing it.
Updated June 8, 2020.
What is Vanguard?
Vanguard is Riot's new anti-cheat software, and right now it's being used to help protect Valorant from wallhackers and aimbotters. Once installed, Vanguard will run at Windows startup unless uninstalled.
There are two parts to it:
- A kernel-mode driver that runs when your PC boots up
- A client that checks to make sure you aren't running any cheats while you're playing Valorant
The kernel-mode driver is the client's bodyguard, basically. It doesn't collect data about your PC or send anything to Riot: It looks at other drivers and blocks them from running if it detects that they have a known vulnerability that could be used to compromise the anti-cheat client. (Vanguard blocks fewer programs as of an update in May, and in the future may prevent Valorant from running instead of blocking the offending software.)
The biggest gaming news, reviews and hardware deals
Keep up to date with the most important stories and the best deals, as picked by the PC Gamer team.
If Vanguard's driver isn't started with Windows, Valorant won't trust your PC, and you won't be able to play. That's why you have to reboot after installing Vanguard.
What does it mean that the Vanguard driver is "kernel-mode"?
If we were in a '90s hacker movie, the kernel would be the virtual reality sphere of green code where the final showdown takes place. It's the core of your operating system, where the most basic functions happen, such as allocating system memory to different programs. Software that runs at the kernel level has the greatest level of control over your PC.
The primary argument against letting Riot run a kernel-mode driver on your PC is that if someone found a security vulnerability in it, the consequences could be much worse than if a vulnerability were discovered in regular, user-level software.
Riot's response is that:
- It has been careful, and has offered a $100,000 bounty for the discovery of security vulnerabilities in its software.
- Cheat makers work at the kernel level, and if Riot can't give its software the same level of privilege as the cheats, it'll be at a disadvantage.
- Other anti-cheat software also uses kernel-mode drivers.
Regarding that last point, it's actually common for anti-cheat software to utilize kernel-mode drivers. EasyAntiCheat does, and it's used by a ton of games, including Apex Legends. BattleEye also does, and it's used by high-profile games such as Rainbow Six Siege and PUBG. Just like Vanguard, these anti-cheat programs block other kernel drivers that contain security vulnerabilities.
The reason this is a controversy now is probably that, A) Valorant is a high-profile new game and Riot intentionally drew a lot of attention to its anti-cheat efforts, B) Vanguard starts with Windows instead of with the game, and C) Vanguard doesn't seem to be as lenient as other anti-cheat software, possibly blocking a wider array of programs.
What does Vanguard block?
Not nearly as much as it used to.
When it was first introduced, Vanguard blocked certain drivers, and multiple programs can use the same drivers, which led to it preventing certain temperature monitors, fan controllers, and overclocking tools from running.
For example, Vanguard wouldn't let me run a program called Core Temp, which reads and displays the temperature of each CPU core. Why? Riot would only speak in generalities. "Vanguard blocks drivers with known security vulnerabilities (usually privilege escalation via arbitrary memory writes) that allow cheat developers to load their cheats into the kernel without approval from Microsoft," wrote Valorant anti-cheat lead Paul Chamberlain in a Reddit post.
That policy has changed. Vanguard still blocks "a small number" of drivers, but no longer blocks most of the software it used to, including Core Temp. From here on, Riot says it will "prefer non-invasive solutions." If it can't get a program running with Vanguard in a way it likes, it'll prevent you from playing Valorant rather than prevent the program from running.
Can Vanguard really overheat PCs?
Not exactly. There is no feature or bug in Vanguard which raises CPU or GPU temperatures. Where players are reporting overheating problems, such as in this Reddit post, it's because Vanguard automatically blocked software they were using to control their cooling setup or processor speeds.
In all likelihood, you don't have to worry about this, because Vanguard now blocks fewer programs, and because most people do not have PCs which will dramatically overheat unless they are running temperature monitoring/fan control software or underclocking their GPU. If you do have a tenuous cooling situation and rely on Windows software to keep your PC from melting, check and make sure that Vanguard hasn't blocked that software the first time you reboot after installing it.
Shouldn't Vanguard tell you if it blocked something important like a temperature monitoring program?
It definitely should, but its notifications weren't working well initially. It's less of an issue now that it blocks fewer programs, but Riot is "working on ways to make the experience better,” says Chamberlain.
What about stopping mice and keyboards from working?
This was also reported during the beta. One player traced the issue with keyboards and mice to a driver called Interception, and posted a fix on Reddit (try at your own risk!).
According to a representative from FaceIt, another anti-cheat solution which blocks the same driver, Interception "is used by cheats to generate fake input, which is also the reason other [anti-cheat programs] block it."
Has Vanguard been effective at stopping cheaters?
It's hard to say right now. Cheaters made it into the Valorant closed beta, but the banning system was incomplete when the beta started, and sometimes Riot waits to ban cheaters in waves rather than showing its hand to cheat makers right away. Vanguard is also just one part of Riot's planned anti-cheat arsenal.
"It's fundamentally a defense in depth approach," wrote Chamberlain in a recent blog post. The full breadth of Riot's plan includes:
- Designing Valorant to be naturally cheat-resistant
- Using Vanguard to make cheats hard to develop (and thus expensive)
- Catching cheaters through player reporting
- Catching cheaters with replays and machine learning (not built yet)
- Using hardware bans to keep cheaters from rejoining with new accounts
We'll know better how well Riot's anti-cheat suite is working after we have a longer time period to judge Valorant by. It's unlikely that cheating will be eradicated from any competitive game, but if Riot can make encountering cheaters in Valorant a truly rare and surprising occurrence, it'll have done better than a lot of its competitors.
How do Valorant players feel about Vanguard?
When I filter out the extremes, the general sentiment during the beta was: 'It's good that Riot is taking anti-cheat seriously, but Vanguard is too intrusive.'
Vanguard was acting like a PC security suite, but it was blocking software that people rely on—software that isn't considered a security risk by actual antivirus software. That is of course going to irritate PC gamers, who are particularly sensitive to any loss of control over their machines. I don't like it when anything stops me from doing what I want to do with my PC, potential driver vulnerability or not.
The main recommendation from players was that Vanguard should let players run software it has concerns about, but prevent them from playing Valorant unless they reboot and make sure those programs don't run. That's the direction Riot has said it's going in.
It's clear that Riot is listening, though it hasn't shown any interest in changing the basic workings of its anti-cheat software.
For now, it's something players will have to put up with if they want to play Valorant, though Riot did at least make it easier to disable or uninstall Vanguard by adding a system tray icon. I've taken to uninstalling Vanguard between Valorant sessions. It means that I have to reinstall it (it's tiny, so that's fine) and reboot my PC before playing Valorant, but that's not a very big deal given how quickly PCs can boot these days. I'd say it takes me about as much time to reinstall Vanguard, reboot, and launch Valorant as it does to launch Rainbow Six Siege and get to the menu. That may say more about Siege, though.
Tyler grew up in Silicon Valley during the '80s and '90s, playing games like Zork and Arkanoid on early PCs. He was later captivated by Myst, SimCity, Civilization, Command & Conquer, all the shooters they call "boomer shooters" now, and PS1 classic Bushido Blade (that's right: he had Bleem!). Tyler joined PC Gamer in 2011, and today he's focused on the site's news coverage. His hobbies include amateur boxing and adding to his 1,200-plus hours in Rocket League.