Vanguard Kernel-mode Driver Download [UPD]

So I was running a random check-up on my laptop today and it showed an alert saying Kernel mode is not on and when I checked it, it showed that vgk.sys as an incompatible driver. I tried looking online for a solution but so far no luck.

The main difference between the different levels of privilege is the accessability of memory and instructions. User mode (ring 3) applications are isolated from kernel mode (ring 0) appliations, because kernel-mode determines how user-mode behaves, and usermode-mode applications therefore cannot access kernel memory. In the world of computers, the closer you are to hardware, the more control you have. Thus a lower privilege means greater control. This is of course grossly oversimplified, but for the context of this article, it is sufficient.

Vanguard Kernel-mode Driver Download

Download Zip 🔥 https://tiurll.com/2y3YT8 🔥

This is wrong. The SYSTEM user on Windows is also in usermode, and is merely a different session with few limitations used to schedule services more easily. This is not a security measure, and stating that you need SYSTEM-permissions on your user(??) to unload a kernel-mode driver is wrong. Unloading kernel drivers is as easy as stopping the registered service for them, which you can do by using the command sc stop . This of course relies on the fact that the driver has set its unload routine in kernel.

The kernel-mode driver is the client's bodyguard, basically. It doesn't collect data about your PC or send anything to Riot: It looks at other drivers and blocks them from running if it detects that they have a known vulnerability that could be used to compromise the anti-cheat client. (Vanguard blocks fewer programs as of an update in May, and in the future may prevent Valorant from running instead of blocking the offending software.)

The primary argument against letting Riot run a kernel-mode driver on your PC is that if someone found a security vulnerability in it, the consequences could be much worse than if a vulnerability were discovered in regular, user-level software.

Regarding that last point, it's actually common for anti-cheat software to utilize kernel-mode drivers. EasyAntiCheat does, and it's used by a ton of games, including Apex Legends. BattleEye also does, and it's used by high-profile games such as Rainbow Six Siege and PUBG. Just like Vanguard, these anti-cheat programs block other kernel drivers that contain security vulnerabilities.

When it was first introduced, Vanguard blocked certain drivers, and multiple programs can use the same drivers, which led to it preventing certain temperature monitors, fan controllers, and overclocking tools from running.

For example, Vanguard wouldn't let me run a program called Core Temp, which reads and displays the temperature of each CPU core. Why? Riot would only speak in generalities. "Vanguard blocks drivers with known security vulnerabilities (usually privilege escalation via arbitrary memory writes) that allow cheat developers to load their cheats into the kernel without approval from Microsoft," wrote Valorant anti-cheat lead Paul Chamberlain in a Reddit post.

That policy has changed. Vanguard still blocks "a small number" of drivers, but no longer blocks most of the software it used to, including Core Temp. From here on, Riot says it will "prefer non-invasive solutions." If it can't get a program running with Vanguard in a way it likes, it'll prevent you from playing Valorant rather than prevent the program from running.

According to a representative from FaceIt, another anti-cheat solution which blocks the same driver, Interception "is used by cheats to generate fake input, which is also the reason other [anti-cheat programs] block it."

Earlier this year, Riot informed players of its security update from a user-mode driver to a kernel-mode driver. The benefits of updating included aimbot detection and protection from high-privileged cheats camouflaging as legitimate data. Players did not suspect much concern until the release of Valorant.

Vanguard consists of a client, platform, and kernel-mode driver. The client keeps track of anti-cheat detections in Valorant. Meanwhile, the driver runs at startup and is used by the client to monitor memory, data, and any disruptions. The platform is what causes the driver and client to do their jobs while allowing the player to play.

Riot Games has made it clear that Vanguard will not collect personal data. The reason the developer resorted to a kernel-mode driver is to combat any high-level cheats. Vanguard has even been checked and approved by Microsoft through its code-signing process.

Not all users experience this, but enough people reported it for it to get attention. I am waiting to hear back from Riot Support, as vanguard stuttering happens while internet browsing (and overwatch) and causes my computer start up to go from 15 seconds to 3 minutes.

This would pretty much cancel all of the lazy AHK color pixelbots, which was the aimbot everyone saw on day 1 of valorant as the architect explains that AHK is currently greenlighted by vanguard, although they will probably start implementing restrictions soon.

While the Vanguard anti-cheat client only launches when Valorant is being played, Riot says the system also makes use of a "kernel mode driver" that starts operating as soon as Windows boots up. That's a big change from Riot's pre-Vanguard anti-cheat systems, which operated entirely at the more common "user mode" level, just like most Windows executables.

With Vanguard, Riot would like to patch up this hole with a kernel-level driver that can hopefully detect any and all abnormalities running at the user level. That doesn't make the game impervious to other kernel-level attacks, of course, but it "requires a different (more strenuous) approach from cheat developers to attack," Riot anti-cheat lead Paul Chamberlain told Ars in an email.

"The Vanguard driver does not collect or send any information about your computer back to us," Riot Anti-cheat lead Paul Chamberlain added in a Reddit post this week. "Any cheat detection scans will be run by the non-driver component only when the game is running."

At the kernel level, any flaws in Riot's driver code could create system-wide, "blue screen of death"-style crashes, as opposed to more localized application-specific glitches. And a serious oversight in the driver, like a buffer overflow exploit, could let an attacker install their own malicious code at an extremely low level, where it could be extremely dangerous.

"Whenever you have a driver like that, you're at risk of introducing security and reliability issues to the computer," independent security researcher Saleem Rashid told Ars. "You don't get as many exploit mitigations in device drivers as you do in normal applications, and a bug will crash the entire OS, not just the game."

"DRM like this probably stops cheating in the very near term, but I'm not convinced it helps in the long run," Rashid continued. "All it takes is for someone to analyze the driver from outside of Windows and then apply similar techniques they use to defeat other anti-cheat systems. So it looks like it introduces a large attack surface for little benefit."

Writing on Reddit, Chamberlain downplayed these risks. "We're... following a least-privilege approach to the driver where the driver component does as little as possible preferring to let the non-driver component do the majority of work (also the non-driver component doesn't run unless the game is running)."

Chamberlain expanded on that statement in an email to Ars: "The primary responsibility of the kernel driver is to create a protected environment for the rest of Vanguard (and the game) to operate in. If the integrity of the anti-cheat system is ensured, then almost everything else can happen entirely in user-mode."

Chamberlain also told Ars that Riot's own Application Security team was aided by the services of three separate external security groups to audit Vanguard before it was rolled out. That includes one group that was focused exclusively on the driver and another that performed "black box" attacks on the system from the outside.

If a kernel-mode code execution bug was found in Vanguard's drivers, Chamberlain says the system has been set up "to be easy to update on whatever cadence is required (separate from game update cadence) so we would likely be able to respond within hours." During those hours, Vanguard would be disabled on the game, and players would be instructed to uninstall it in the meantime.

"In extreme cases, we would work with our patcher team to automatically remove Vanguard from all players' computers," Chamberlain added. "After we had pushed a fix or removed the driver, we would work with Microsoft to get the vulnerable driver blacklisted."

So for now, at least, you probably don't have much to worry about by installing Riot's anti-cheat driver on your system. But if hackers find any exploitable errors in that driver, users will have to trust that Riot will be able to find and fix them promptly enough to keep their systems safe from attack. And that's a level of trust Riot seems to be taking pretty seriously, all things considered.

Riot Games' new team shooter Valorant has an anti-cheat system called "Vanguard" that has raised some security concerns. When the game launches, the Vanguard client loads with it into the userspace. However, there is a kernel-mode driver for the system that loads when you boot into Windows.

Riot claims that it needs this since some cheating software uses kernel-mode drivers to evade detection. Regular applications cannot detect kernel-mode drivers because of the higher privileges required.

Even if you do trust game developers that they 100% aren't doing bad things, you should be aware that any developer can miss bugs in their software. Bugs in kernel drivers would mean possibility of attacks on your PC that will have unlimited access to everything.

Let's say you forgot that you have vanguard/ricochet/whatever installed and decided to play any single player game with cheats because you want infinite health/ammo/etc. No biggie, right? But do you really want activision/riot/someone else to know that you are running that stuff? They could easily mark whoever they want as potential cheaters and good luck proving them wrong. 2351a5e196