this post was submitted on 22 Jul 2024
195 points (97.6% liked)

Asklemmy

43287 readers
704 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
195
My brother claims that Vanguard for League can do the same to gaming PCs that install it as CrowdStrike did to businesses who installed that, is this true? Does Vanguard have as much access/power? (lemm.ee)
submitted 1 month ago by [email protected] to c/[email protected]
68 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 15 points 1 month ago (2 children)

It is a bit complicated. Any kernel level program that crashes will cause the entire operating system to crash. But it won't cause the system to continuously blue screen because it isn't a required program in the way that crowdstrike was.

Crowdstrike is basically an antivirus program so it has to run when the operating system starts up and if it isn't running then the operating system should not boot for safety reasons. The problem is that if it must be loaded, and it has a crash, then it loads and kills the system. So you get an infinite loop you cannot get out of.

Vanguard only has to run when you're playing online though, so it's not loaded when the system runs, or at least it doesn't have to be. So it won't cause a recurring boot loop. It might fail to load and you wouldn't be able to play online games that require it until they fix it, but it isn't going to prevent the computer from running.

[–] [email protected] 14 points 1 month ago (1 children)

I could be wrong but I think it runs on boot. So it would loop into bsod.

[–] [email protected] 2 points 1 month ago

I agree. It would need to start on boot to make sure there isn't software loading before it to circumvent it.

[–] [email protected] 6 points 1 month ago (1 children)

Wait, wasn’t Vanguard coming in form of a driver? I don’t use Windows and don’t play games with intrusive software requirements, but I believe I saw someone installing it and showing how it works on YouTube, and if I don’t misremember it, it was in fact a virtual device driver, not just a fully privileged process.

[–] [email protected] 2 points 1 month ago (1 children)

Yup, I seem to remember the same thing and I also seem to remember it being loaded at boot. Iirc you can stop it when the system has started and you've logged in but then you have to reboot in order for it to load again so you can plain. But same, I also don't use windows and haven't played leaugh for many many years.

[–] [email protected] 1 points 1 month ago

I haven't really used it because I don't play any games that require it but my understanding is that it just installs itself as a required program but you can just go into program manage and turn that off because you don't have to have it and I think if it's not running starting the game should then cause the program to run.

If not you can just set up a script to do it anyway so I can't see why it wouldn't work like that.

[–] [email protected] 67 points 1 month ago

I'm far from an expert, but Vanguard is a kernel-level program. If a kernel-level program crashed, the whole system crashes. So yes, any kernel-level program could do the same thing CrowdStrike did, intentionally or not.

Kernel-level programs can do whatever the hell they want.

[–] [email protected] 19 points 1 month ago (3 children)

Preface: I'm not an expert in this yet but I'm pretty interested in learning about systems-level topics so if I'm wrong please correct me!

Yes, the thing about anticheats and anti viruses is that they are only useful when they have access to the underlying resources that a virus or cheat engine might try to modify. In other words, if cheating software is going to use kernel-level access to modify the game, then an anticheat would also need kernel-level access to find that software. It very quickly became an arms race to the lowest level of your computer. It's the same with anti viruses.

IMO the better strategy would be to do verification on a server level, but that probably wouldn't be able to catch a lot of cheats like wall hacks or player outlines. At some point you just have to accept that some cheaters are going to get through and you'll have to rely on a user-reporting system to get cheaters because there will always be a way to get past the anticheats and installing a separate rootkit for each game isn't exactly a great idea.

[–] [email protected] 4 points 1 month ago (1 children)

They do do a lot of verification on the server side. Since unreal introduced their server-side-lagged-approval networking model, all local movement and most shooting can be retracted by the server.

But what a ring 0 level driver is looking for is other software, like aimbots, modified assets (transparent walls, custom shaders etc) etc. To be able to detect all that it needs to be level 0.

What I would trust more is if Microsoft acquired one of these companies and worked across the industry to root cheating out. Giving some random company ring 0 access feels completely off to me.

[–] [email protected] 2 points 1 month ago (1 children)

Couldn't aimbots be picked up as odd movement and be detectable on a server though? Kind of similar to how those "not a robot" checks can tell if a human is clicking on the box just by looking at the movements of the cursor.

In addition, things like textures and game-modifications could be picked up in part by things like checksum verification to make sure the client is unmodified (assuming the files are modified on the disk and not in memory)

I feel like most client-side changes like see-through walls or player highlighting make themselves pretty obvious when aggregated over multiple games. A good user-reporting system could probably catch most of these.

I definitely agree though, allowing multiple random companies to install ring 0 rootkits should not be the norm. Honestly, even a Windows-level anticheat would be problematic because it would only worsen the monopoly Microsoft has on competitive games as a platform. A new solution would need to be cross-platform or else it would only be marginally better than what already exists.

[–] [email protected] 3 points 1 month ago* (last edited 1 month ago)

Aimbots dont need to do a lot to provide advantage at the highest level. Moving “perfect aim” from 1x1 pixel to 3x3 pixels, but with 33% probability would provide a huge advantage and be undetectable.

Modified assets cannot be verified unless you lock the system down, like an Xbox. On a PC? No way. You can combat it by sitting in ring 0 (which is what anti cheat software does) but you couldn’t just check some checksums.

In terms of aggregating data and spotting something like see-through walls, there isn’t the statistical method to discern between great intution built over years of playing the same map and having see through assets.

I used to work in AAA game development, across most of low level (graphics, networking, memory, assets etc) so unfortunately I know this problem is nigh on impossible to solve unless you have a locked platform.

[–] [email protected] 1 points 1 month ago (4 children)

Could they not hash the contents of the game's folders and send that back to the server to confirm it's not been tampered with?

[–] [email protected] 2 points 1 month ago

Games probably do this in some way already with something like a checksum but the problem is you could have some separate program reading from game state/display at runtime to get around this. That's part of why a lot of cheats are installed at a kernel-level.

[–] [email protected] 2 points 1 month ago

So save files exist. Also custom user content. So the hash will change accordingly. Plus some cheats don't require a modification of game files anyway, they use memory analysis to get, say, the location of other player objects, then they manipulate local information to give the player an advantage. This is how aim hacks and wall hacks work.

Cheats are hard to prevent for the sole reason of you don't own the computer they could be running on. You can't trust the user or the machine, and have to design accordingly. This leads many to the "solution" that is kernel level anticheat, it gives total access to the system.

[–] [email protected] 4 points 1 month ago

What stops you from tampering with the game folder, and changing the function that sends the hash, to send a pre-calculated and valid value, instead of calculating it from real files you are running?

[–] [email protected] 4 points 1 month ago (1 children)

One Minecraft server I played on installed a program for blocking x-ray hackers (a type of hack that lets you see valuable ores through walls so you know exactly where to mine).

The anti-xray mod worked by reporting to the user that the blocks behind a wall are a jumble of completely random blocks, preventing X-ray from revealing anything meaningful.

This mod resulted in massive lag, because when you are mining, every time you break a block, the server now needs to report that the blocks behind it are now something different. It basically made the game unplayable.

The server removed the mod and switched to having moderators use a different type of x-ray mod to look at the paths people mine in the ground. Those using x-ray hacks would have very suspicious looking mines, digging directly from one vein to another, resulting in erratic caves. Normal mining results in more regular patterns, like long straight lines or grids, where the strat is to reveal all blocks in an area while breaking as few as possible.

Once moderators started banning people with suspicious mining patterns, hacking basically stopped.

It’s possible to still hack and avoid the mods in this kind of system by making your mines deliberately look like legitimate patterns, but then the hacker is at best only slightly more efficient than a non-hacker would be.

[–] [email protected] 3 points 1 month ago

That's kind of my point with hacks like player highlighting, I feel like a good user-reporting system would get us a lot of the way there. E.g. If someone is using see through wall hacks in an FPS I feel like it would be pretty obvious for other players to tell in a lot of cases. Other times things like erratic movements from aimbots could probably be detected by the server.

[–] [email protected] 17 points 1 month ago* (last edited 1 month ago) (1 children)

It has comparable access, yes, ~~but assuming no malicious intentions, it's extremely unlikely that they achieve something as catastrophic.~~

~~If they fucked up in a similar fashion, that would cause your PC to bluescreen, too, but since League does not start up during boot, you could still use your PC, just not League.~~

Nope.

[–] [email protected] 37 points 1 month ago (2 children)

Vanguard doesn't care if LoL or valorant or any other game is running. Vanguard is in your kernel and will be starting regardless.

[–] [email protected] 7 points 1 month ago* (last edited 1 month ago)

Huh, seems like you're right:

Riot Vanguard is an on-boot application. That means if you do choose to disable it and later decide you’d like to play VALORANT, you will have to restart your computer.

https://support-valorant.riotgames.com/hc/en-us/articles/360046160933-What-is-Vanguard

I guess, it's only user-space drivers which Windows can load at runtime then?
At least, I'm hoping that's a technical limitation of Windows. Otherwise, this is fucking stupid.

Well, it always is fucking stupid, but it would be even more so.

[–] [email protected] 18 points 1 month ago (4 children)

This is correct, as in windows a driver is the most straightforward method to runlevel0 access. It absolutely could at any time do exactly what crowdstrike did. But also so could Nvidia/amd with GPU drivers, your motherboard manufacturer with chipset and RGB drivers, etc. it's not quite the smoking gun people make it out to be, as there are a lot of legitimate reasons to have this kind of system access.

The egregious part was that crowdstrike users agreed to allow a vendor to bypass canary channels and deploy straight to their endpoints.

[–] [email protected] 1 points 1 month ago

One important thing about CS was that it's also marked as a boot-start driver. That flag tells the OS that it can't boot without it no matter what happens, aside from safe mode, and iirc if your driver doesn't have that flag, which drivers probably shouldnt have, from how I understand it if such a boot loop would happen due to a faulty non-boot-start driver, the system will recognize that and simply disable it.

[–] [email protected] 0 points 1 month ago

Of course it's not a smoking gun. That's the wrong metaphor. It's an extra stick of dynamite that isn't needed, just waiting to explode at the flip of a coin. That there are other sticks of dynamite doesn't negate the risk posed by this one.

[–] [email protected] 7 points 1 month ago* (last edited 1 month ago) (1 children)

And that's the problem, like CrowdStrike Vanguard will update itself in the background unlike your GPU driver which you need to go through an update process explicitly, so if the same thing happens where they pushed a bad update, the same outcome of causing failed boots without prompt could happen.

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago) (1 children)

Does Vanguard not seek testing and validation by Microsoft before pushing updates?

I saw the recent video from the Task Manager designer Dave's Garage on YouTube, lack of thorough official validation seemed to be an important part of the CrowdStrike problem.

[–] [email protected] 1 points 1 month ago

Microsoft testing updates? They have an extremely bad track record of that.

My information might be a bit outdated, but Microsoft themselves only test on virtual machines and let their Windows Insiders to the rest. Unfortunately that doesn't include many use cases in production.

So we sysadmin have to either test all Microsoft software/updates ourselves and/or fix mistakes from Microsoft after it was rolled out. That has caused thousands of hours of downtime this year alone in my company. All users combined that is.

Unfortunately management just believes whatever the sales/marketing teams tell them.

[–] [email protected] -1 points 1 month ago

What non algorith streaming sites are there? The reason these people appear to be in the majority is because most people who agree wont post " i agree with the protests" under those yea but windows amd etc get through the microsoft driver signing wich is the process where microsoft checks if the drivernis broken or not. The crowdstrike driver got its updates via microcode. Think off the driver as a engine that runs code from a file. The druver was signed but the code it exevuted was broken. I dont know how vanguard handels updates but i guess they take a similar approach as crowdstroke did and only got their "engine" signed but kot the actual code that the driver executes. Else they need to resign their driver every time they donupdates and that wouöd be costry and slow.

[–] [email protected] 11 points 1 month ago* (last edited 1 month ago) (2 children)

Theoretically it should only be running during gameplay, and that's probably true as I'm sure security researchers would've pointed it out if games installed a persistently running rootkit. So it's different than Crowdstrike which was running immediately from boot.

So there is that, if it caused your PC to crash it should be fine after reboot. The driver has God power though as far as your PC goes so if it was the point of entry for a malicious attack you could be really screwed.

Edit: apparently I'm wrong and it runs all the time what the fuck

[–] [email protected] 11 points 1 month ago

It runs all the time and launches during boot. A ring0 anticheat that only runs while the game is running would be even more pointless

[–] [email protected] 26 points 1 month ago (1 children)

Vanguard is always running at all times.

Honestly no idea why it isn't considered malware.

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

For the same reason spyware and adware is not anymore malware categories scanned for by antivirus software: our fucked up economy, and because average people accept everything no questions asked.

load more comments
view more: next ›