As someone who's messed around with the League of Legends Client and Riot Games' APIs before, I can tell you that Riot also uses RTMP and XMPP requests, not just HTTP requests, so you're not guaranteed to catch quite literally everything they might be sending with a simple HTTP debugger. As for the API that's running on localhost, that's basically just a wrapper for the actual League of Legends/Riot Games APIs

it being spyware was less the concern than the inherent security/operation risk of giving it kernel access

I know Vanguard actively pokes at your files. Had my AV ping that Vanguard was messing with some files, as it had trigged a PUP / Malware notification.

remember the cat ears

Hello, just to clarify something, Riot can, at anytime, request data on your computer using Vanguard, including when you're not playing, they need to do that manually

A root-kit is still a root-kit.

i've been wondering: since the crowdstrike fiasco happened, whats stopping a similar situation from happening, but with vanguard instead?

The games that use Vanguard can’t be thaaat good to warrant the use of software like this tbh. I don’t think there’s any video game worth compromising security of your system for

Just because it's not currently a problem doesn't mean it won't be in the future. For example, when ESEA was used to mine bitcoin, basically creating that meme. Would be cool if you had the old ESEA client that did that.

With League's source code already having been stolen once and Riot being owned by Tencet, I'll still feel a little iffy about having Vanguard on my PC at all times, no matter what the truth of the matter may be.

If you are suspicious, they are spying on you If you're not, you need to know that they can, and the worst part is that you don't even know if you're being spied on or not. Also about people creating cheats: if Riot can do anything they want remotely, just by sending any instructions to anticheat, then they would just be being stupid to insert anything bad into anticheat, it's much better to just pick anyone and then send any control command they want.

Dispite most of the evidence says that Vanguard is safe as of now, I still wouldn't trust it anyway. 1. The screenshot thing shouldn't even be there in the first place. The server can do whatever they want without making changes to client installations. A bad command can go wild and it's going to be hardly detectable since nothing has changed on the client side. 2. Kernel access can bypass almost all permission checks. Drivers can read/write physical memory and get data there. Though it is going to be extremely difficult to implement. Nevertheless, state sponsored attackers from certain countries have built quite a sized digital arsenal full of complex tools, and god knows what else is in the bucket. Also, it's VMP packed, which makes hiding control flow easier than ever. 3. Kernel level malware is usually for persistence and evasion. Yes, your stealers can work on pure userland and there are just too many ways to evade AVs if you know what you are doing (wink wink). However, making an obfuscated kernel driver makes analysis much harder and it's much easier to mess with AVs with ring 0 access. 4. On the bright side, drivers nowadays must be signed by Microsoft. But malware do slip through the filter from time to time. Recently ESET found an adware sample with a Microsoft signed rootkit. It's not going to stop dedicated bad actors from doing awful things. 5. What is the data being sent to the servers? 4MB of data is quite large imo. If it was just signed with complicated custom algo, I would give it a pass. There is no need to make outbound data obsure to users given that it is sent via HTTPS. If it takes this many security and privacy compromises to play a game, no thanks. I'm good.

the problem is that vanguard has to be turned on and running the entire time when you have your pc on before you can play

I uninstalled LoL the minute Vanguard crashed my PC when it first came out. I do not trust Riot one bit, I have seen how they run the game over many many years, I have played since beta 2009. But Vanguard was the final straw at that stage was only a casual player anyway and I would play on & off, but I used to play more serious, I don't feel like the system for me is worth the hassle, I completely against an anti-cheat system that goes kernel level access. I don't think game developers should be allowed to do this & should be banned.

came out of my way to remind you all that eric will put on cat ears for 100k subscribers

I uninstalled Vanguard because it kept causing BSODs when I was playing games with Easy Anti Cheat. Well, luckily I'm not missing out on anything

Cloud strike said get the hell outta the kernel

The main problem with Vanguard is not that it's a spyware - the problem is that it's written just like every other code from Riot Games. It caused a bluescreens for me SINCE THE RELEASE and yet Riot Games is still saying it's not Vanguard's fault and it's not possible. Welp, just like Crowdstrike showed - it is possible, because it's a big unknown what is applied to the windows kernel and what makes it so unstable for some configurations.

thanks for using darkmode, makes it easier to watch for me in the mornings

Wow, so Vanguard only takes screenshots of your game or entire screen, such a relief!

The fact the anti cheat doesn't close when the game closes, and made in china worry a lot of people

Would love to see more videos regarding kernel anti cheats / drivers, maybe more insight on what could be done with kernel and malware, anyways love your vids, keep it up 🔥

Short answer: Yes Long answer: Yeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeees

14:32 is the highlight of what you guys wanted as an answer.

I feel like for all your projects having mitmproxy running on it's own box in its own vlan where all http/https traffic is redirected from say a pfsense box would be easier and allow capture of this sort of traffic.

More startup programs increase vulnerability exposure, especially kernel based ones

i remember when maplestory added a different anticheat/hack detection program, i don't remember the name of it now since that was like 8 years ago, but anyways i stopped playing because it creeped me out, i noticed my hdd activity was way higher then it should've been so i used process hacker to watch the disk activity and noticed it was scanning every single file on the hdd, and making a log, and then afterwards made a connection and sent roughly the same amount of data that was in that log. so i just assumed they were for some reason spying on the entire directory structure of my hdd instead of merely just acting as an anti cheat and never played a nexon game again.

"Everything that has the ability to be spyware, can and will be used as spyware". A game is not worth your data, remember that.

Eric, know that you can't escape from that reply. We'll never forget about it.

What if they just save it all and send it at boot when you cant monitor the network lol

I'll never install anything epic games or riot related on my PC.

My biggest issue with it is how it enforces TPM 2.0 on windows 11, but runs fine without it on windows 10? I have an i7-3770k with a GTX 980ti that runs the game at over 200FPS, but as we're approaching Win10 end of life in 12 months, i won't be able to play. I have both Win10 and 11 dual booted, but obviously no TPM 2.0 module as my mobo doesn't support 2.0. it's just ridiculous to say "buy a new computer" when my current computer runs the game beyond fine!

I don’t live in America so I’m confident that a major breach will be a guaranteed class action lawsuit.

start the vgc service, then run all the vanguard exe’s thats how i get around vanguard being turned off during runtime

great video! thanks for the in depth and transparent video about vanguard. i personally was skeptical of the usage considering tencents background, glad you took a look for us.

Awesome video as always! I'm curious though, I want to use HTTP Debugger for something else but virustotal has 13/63 detections on the installer. Is it safe to use?

Its all relative to the end-user, if you don't trust it, don't use it. I don't trust it myself, so I don't use it. While its surprising to see that there hasn't been anything of real concern found, its also obvious that something could easily be added without anyone noticing (for a short time at least) for example: the screenshot system in Valorant being exploited to screenshot anything outside of the game at anytime - game open or not. Either way - its your choice to be a user of the software :)

Who cares about the anticheat, when the League of Legends requires you to open ports on your computer and accept inbound connections?

Riot is owned by Tencent now - Yikes.

Why do they make the game crash if you try to attach x64dbg? The memory is protected by the kernel driver, you can’t attach, it’s so useless.

I’ve already watched two of your videos within the last hour. I plan on watching more. You’ve got yourself a new subscriber. This is the content I crave for. Highly interesting videos. 😁

also, i didn't play any of the riot games for mouths now i know how anti depression pills feel like + crack addictions quaking their additions

I'm still not installing a game that requires kernel access.

Hello Eric! Thanks for the video. I still don't trust riot. I think they haven't done a bad actor thing with vanguard. Knowing about the player profiling done before anti-cheats(not spesific to riot). Only danger it has is(my opinion) bsods and possible hdd or ssd failures. Which happened to my hdds before. Not because vanguard but because bsods. Vanguard -> bsod -> ssd/hdd failure.

I highly recommend using the CyberChef when messing around with unknown data, it's a great tool for that.

nope. its spyware, they can update/change it at anytime adding more spyware methods. without us knowing

I don't think people take into account the amount of computing power it would take to record and analyze every single person playing the game's computer and screen in real time. If they see blatant signs of cheating, of course they're going to investigate further. And if there's no reason to then save the time and money and don't investigate further

i wouldn't know anything about taking apart the vanguard software itself, BUT i (and many others) had a nightmare experience trying to get valorant and vanguard off my computer. seriously, task manager doesn't end vanguard, you have to take such a roundabout method to get it off. i'm not saying that's inherently suspicious, but it does attest to the stubborn and relatively invasive design of vanguard.

Is is spyware? no its far worse than that.

Vanguard is what made me switch to Linux.

aint gonna install a info stealer to play a game

CCP so automatically yes.

It probably cannot even spy properly, worst anti cheat in history of anti cheats

Long answer is yes, short answer is yes.

Short answer: yes it is

Is Eric Parker spyware? jk

A video about BattleEye and Easy Anti-Cheat would be nice as they also ask for administrative permissions and I am under the suspicion that they do similar stuff to this.

if you have root level access. can you send packets without the OS noticing them?

genuine question, why are people more freaked out about kernel anti cheat being spyware than literally any other anti cheat or program? you don't need kernel level access to do spying

Finally a good analysis, not like other self proclamed security researcher

Do Easy Anti Cheat and Denuvo anti tamper. A lot of people on Steam complain about these two.

Short answer: Yes! Long answer: Yes! It's also made by Chinese company Tencent (they have owned Riot since 2009) and goodness knows what it actually does with all of the BSODs computers have gotten from it!

How much did they pay you?

I would love to send you software and hardware from my industry. It's packed full of spyware and these older guys don't know a lot about computers.

if it was they would've been sued by now... right?

How exactly is this anticheat so effectively able to detect virtualization? Couldn't someone instead create a custom BIOS with an SMM payload to analyze it, or can it detect that too?

You only looked at user-space requests, not kernel space obviously there's nothing when the client isn't running, because well, THE CLIENT ISN'T RUNNING, NOTHING IS SENDING USER-SPACE REQUESTS. Afaik vanguard dynamically loads modules from internet on every launch, which literally makes it a glorified modular RAT. It doesn't have to be just a sussy screenshot module, could be a proper malicious payload. Nobody would ever realistically find out even if you only targeted particular users or just avoided users with RE software installed and even then it's so hard to analyze this thing. You finding out absolutely nothing with this method is the only expected outcome, and doesn't provide literally any insight as to if its spyware or not. I'd rather say that a kernel anti-cheat from a funny Tencent owned company which streams modules from internet is not trustworthy by any means.

how about genshin anticheat?

Will you check other anti cheats as well? (like EAC)

CCP paying well?

Short Answer -- Yes

Spyware and rootkits are different kind of malware’s, aren’t they?

any kernel level app that wants to act as a driver (which anticheats commonly do) needs to be analised by microsoft on sourcecode level in search of something like spyware, so since vanguard is allowed kernel access on windows then at the very least microsoft deemed it safe and wether you trust microsoft or not is up to you, lately they seem to be partial to extensive data collection themselves look, what i'm trying to say is your furry feet pics folder is probably safe and/or outside of anyone's interest

Look. Don't be so blue eyed. It is certainly possible to abuse it, and the amount of data that's sent back to them is large, so it's essentially a kernel level spyware that's always active.

Sorry, umm... Van- What?

they shouldnt make KERNEL LEVEL anticheat and us - players, should do something about this but we cant

Sorry bro but the text is too small on wireshark, we can’t read anything

In the way you mentioned screenshoting via server requests and comms being sent in and out I wonder how hard would it be to setup a MITM hack for banking to intercept and spoof a bank's MFA authentication via an always on anticheat...

Is KZbin listen to us? I know yes

vanguard has always been suspicious, always.. could you do VAC? it would be interesting to see what it does considering it doesnt work

hi eric, i'm a huge fan of your videos and how you're telling about "Hacking". have you recently heard of a new discord hack that is ongoing..

You should take a look at the DRM enigma next.

i was thinking abt it for a bit and i was seeing it pop up everytime so

I realy don't like the Valorant Anti Cheat it's absolutely atrocious what there is going on

but if it takes a full screen shot it mean it will be only the valorant no? if your playing with full screen

I heard you have something to do with cat ears, so I subscribed... I'm waiting.

Could you please make a video about the effectiveness of EAC in linux? I play dbd and other games on linux but afaik EAC hasnt kernel access on linux so i wonder how effective it is. Especially since the r6 dev said they wont enable battleye for proton since "linux is on open door for cheaters" (I just wanted to check if i correctly cited them and their second response about it being an open door for cheaters is gone, time to hope again)

can you do video using Frida for protected malware samples ?

hey Eric, is League playable on Qemu GPU Passthru with that Vanguard ? Asking for tutorial 🙏🏻

i wanna know how hacker keep cheating in cod warzone... is it that easy??

i dont think they need that in there with tiktok and temu on everyones phones

Glad you did a video over it😊

Wear. The. Cat. Ears. At. 100k🔥

could you cover other anti-cheats such as nprotect gameguard, xigncode3 and implementations of EAC?

please enable dark mode for uc for the love of god

idea for you next video see if blitz spy on us

Please more cheat related content. Good videos, keep it up!

Make a video on VAC

Vanguard no longer uses vmprotect

If you don't want to get involved with the doubt about vanguard being a spyware, you just dont install LoL and that's all, just live your life happily forever XD