Riot Games Is Making an Anti-Cheat Change That Could Be Rough On Older PCs

An anonymous reader quotes a report from Ars Technica: At this point, most competitive online multiplayer games on the PC come with some kind of kernel-level anti-cheat software. As we've written before, this is software that runs with more elevated privileges than most other apps and games you run on your PC, allowing it to load in earlier and detect advanced methods of cheating. More recently, anti-cheat software has started to require more Windows security features like Secure Boot, a TPM 2.0 module, and virtualization-based memory integrity protection. Riot Games, best known for titles like Valorant and League of Legends and the Vanguard anti-cheat software, has often been one of the earliest to implement new anti-cheat requirements. There's already a long list of checks that systems need to clear before they'll be allowed to play Riot's games online, and now the studio is announcing a new one: a BIOS update requirement that will be imposed on "certain players" following Riot's discovery of a UEFI bug that could allow especially dedicated and motivated cheaters to circumvent certain memory protections.

In short, the bug affects the input-output memory management unit (IOMMU) "on some UEFI-based motherboards from multiple vendors." One feature of the IOMMU is to protect system memory from direct access during boot by external hardware devices, which otherwise might manipulate the contents of your PC's memory in ways that could enable cheating. The patch for these security vulnerabilities (CVE-2025-11901, CVE-202514302, CVE-2025-14303, and CVE-2025-14304) fixes a problem where this pre-boot direct memory access (DMA) protection could be disabled even if it was marked as enabled in the BIOS, creating a small window during the boot process where DMA devices could gain access to RAM.

The relative obscurity and complexity of this hardware exploit means that Vanguard isn't going to be enforcing these BIOS requirements on every single player of its games. For now, it will just apply to "restricted" players of Valorant whose systems, for one reason or another, are "too similar to cheaters who get around security features in order to become undetectable to Vanguard." But Riot says it's considering rolling the BIOS requirement out to all players in Valorant's highest competitive ranking tiers (Ascendant, Immortal, and Radiant), where there's more to be gained from working around the anti-cheat software. And Riot anti-cheat analyst Mohamed Al-Sharifi says the same restrictions could be turned on for League of Legends, though they aren't currently. If users are blocked from playing by Vanguard, they'll need to download and install the latest BIOS update for their motherboard before they'll be allowed to launch the game. Riot's new anti-cheat change could create problems for older PCs if the new anti-cheat change is expanded, notes Ars.

The update relies on a BIOS patch to fix a UEFI flaw, and many older motherboards, especially Intel 300-series and AMD AM4 boards, may never receive that update. If Riot flags a system and the manufacturer doesn't provide a patched BIOS, players could be locked out of games despite having otherwise capable hardware.

Windows and Anti Cheat is a prison

[xack]

Is it worth being in prison to play games? Or will you taste freedom instead? This was all predicted on Slashdot over 20 years ago when Microsoft announced "trusted computing" aka Palladium.

Re:

[sabbede]

Is that fair? If Linux was the primary gaming platform, this exact same thing would happen. This is the result of a need that doesn't go away by changing platforms. A need taken too far, yeah, but that's not relevant. Cheaters are a problem for multiplayer games (so I hear, not my thing), so there's a compelling need to do something about it. Sadly, that means a Red Queen's race that goes through places I think you and I would prefer they not.

While I agree with you 100% that what they're doing is BS

Re:

[jacks smirking reven]

Blizzard has long had their Warden anti cheat system since the early days of WoW. You probably have t noticed since it's pretty under the covers, by design it's low key.

The idea these systems are onerous is correct but coming from people who do t play the game is an irrelevant opinion. These systems are not burdens forced on the players they are demanded by the player base.

League along is a top competitive title, people take it seriously and if the games are easily cheated players will leave, the whole t

Re:

[gweihir]

Is that fair? If Linux was the primary gaming platform, this exact same thing would happen.

No. Apples - Oranges.

Re:

[Archfeld]

I'm thinking you have no clue what prison is like.

Pretending to be a cartoon character isn't prison.

[couchslug]

Games are mere toys freely adopted and freely abandoned. There is no "prison" and such hyperbole is absurd.

Of course your comment on Palladium is correct, but games are mere trifling amusement with no involuntary physical constraints like a prison cell.

Re:

[rsilvergun]

The ruling class don't allow me very many pleasures in life so yeah. It's worth it.

Re:

[gweihir]

Indeed. Well, not buying Riot Games stuff is my solution here.

No

[Valgrus Thunderaxe]

You don't get to install a root-kit on my computer. There's 40+ years of computer games I'll never get through, and if I do, your game will be cracked by then, and you'll get no money from me.

Re:

[sabbede]

I don't know if it could qualify as a root kit, but this is more than too far for a stupid videogame.

Re:

[thegarbz]

I don't know if it could qualify as a root kit, but this is more than too far for a stupid videogame.

What if you could be paid $200k for it? Because that's how much some of the top players make playing the stupid videogame, and the fact that actual money is being spent and earned playing is precisely why this level of anti-cheat is imposed. There's too many pieces of shit out there who ruin online games.

In other news you kick a ball around for fun on your own terms. If you play competitively you'll be subject to drug tests.

Re:

[fleeped]

Does the ball come with a drug test before you can use it with your friends for fun? Because this ball in the article does.

Re:

[DamnOregonian]

The ball in the article can't be used with your friends for unapproved fun, period, because it can only be used on Company fields with company enforced rules.
Like if Disney had invented Soccer.

Re:

[fleeped]

I mean we're making parallels here, but somehow I can see a not-so-far dystopian future with such IoT balls.

Re:

[DamnOregonian]

I can guarantee the idea has already been floating in some board room near both of us.

Re:

[thegarbz]

Does the ball come with a drug test before you can use it with your friends for fun? Because this ball in the article does.

The ball in the article can't be used by yourself or exclusively by your friends. Some games can't be played non-competitively. Kind of like when you kick a ball around, as soon as you field an 11x11 team you are guaranteed to be outside of the scope of your friends.

The analogy holds quite well when you think about it.

Re:

[chmod a+x mojo]

Yes, it would still be a stupid game even if I got paid 200K for it. Just as "professional sports" is stupid. There are tons of jobs that aren't worth 200K in the world. "Pro Vidya Player" is one of them.

IF for some reason I want to PLAY a sport I'm not going to be watching some other idiot play it for me while making my life revolve around "my" team. It's just as stupid. The only time athletic competition is even remotely interesting is the Olympics. And that's the best of the best in the world competing.

Re:

[thegarbz]

There are tons of jobs that aren't worth 200K in the world. "Pro Vidya Player" is one of them.

People whinging that their skills are the only ones that matter and that they are upset that other people are entertained by other people's skill are the only thing that is truly stupid in this entire debate.

Re:

[LVSlushdat]

I do believe you are me.... I feel the exact same way about professional sports. These players are paid obscene amounts of money to kick balls around.. I refer to myself as being born withOUT the "sports gene". I care not a bit for pretty much anything that fits the term "sports".. Which is why I'm damn pissed off if I want to subscribe to Disney+ to allow the grandkids to watch the old Disney stuff, before Disney went woke, but I'm stuck paying for that sports abortion called ESPN... F--k ESPN...

Re:

[Bahbus]

Nothing wrong with drug testing, but they don't implant a mystery device inside your body to constantly monitor for drugs, which is essentially what Vanguard does. Vanguard creates more problems than it solves, and wouldn't even be necessary if they Riot knew how to design a decent game correctly to begin with. Bunch of lazy graphics designers who can't code worth shit (and their designs are subpar too).

Re:

[thegarbz]

Nothing wrong with drug testing, but they don't implant a mystery device inside your body to constantly monitor for drugs, which is essentially what Vanguard does.

No they don't. Your bodily autonomy is preserved, Vanguard isn't installed in your brain. That said there are a lot of competitive sports where the actual sports equipment is in fact analysed before and after the game, and some with real time monitoring too.

Re:

[Bahbus]

Your bodily autonomy is preserved, Vanguard isn't installed in your brain.

Vanguard is installed into the brain of the computer and there is no drug testing that would be even close to equivalent.

and some with real time monitoring too

No, there are no real-time monitoring of drugs for any sports competition.

Re:

[Fly Swatter]

Fine, let the professionals use a locked down computer system. But let the rest of us just play a game for fun without the risk of brick?/crash?/infecting?/sandbagging/spyware on our own computer.

That explained too little

[Pinky's Brain]

They seem to fear manipulation of the Microsoft hypervisor running VBS. Which is comforting in a way, at least we know their rootkit doesn't go that deep.

Completely unnecessary

[alvinrod]

Doing all of this is completely unnecessary. First design your game so that the server never trusts the client. Don't give it more information than the human player could themselves see and never rely on any calculations from the client. That's still insufficient though, so it's necessary for the server to collect and analyze the data it receives from the client. Anything that frequently operates outside of the thresholds of human ability is cheating. Cheat programs are still programs and operate algorithmically and can be identifiable in that way.

There's also the matter of what to do with the cheaters. You can ban them out right, but that's just information to the people selling the cheats. They can do A/B testing to detect the detection methods. I think that a better solution is to quarantine them so they only ever play other cheaters. Anyone falsely labeled will lose horribly in this environment and will be washed out of it. Everyone else will only be inconveniencing people as awful as they themselves are. None of it requires users to install or run invasive code on their own machines.

Re:

[JustAnotherOldGuy]

There's also the matter of what to do with the cheaters.

I think it's best to silently cripple them so they suck at the game and lose a lot. Nothing overt, just a mild degradation of all their abilities.

Make them miss some most of their shots and inflict less damage, make them heal slower, move slower, make more noise, etc etc. Handicap them just enough so that they seem to suck monkey balls at this game.

Not all the time, not everywhere. Mess with them just enough so the game still seems legit but will always be a miserable experience for them.

Re:

[Firethorn]

I've read of games doing this, and other things.
1. Cheaters get lag. 500ms ping equivalents make things hard.
2. Cheaters get banished to cheater specific servers, all the cheaters get to play other Cheaters
3. Public execution and account deletion.

Re:

[Uldis Segliņš]

Operation Flashpoint did it. And I think the next game from the company, the sequel did it too. Arma from Bohemia Interactive, not Operation Flashpoint 2 from shitty publisher.

Re:

[thegarbz]

First design your game so that the server never trusts the client.

Congratulations, you just coded an unplayable lagfest. This has been tried, this has failed. And above all, even with your zero trust model you haven't covered a SHITLOAD of different forms of cheating which do work with zero trust as well as it turns out computers are faster than people.

Anything that frequently operates outside of the thresholds of human ability is cheating.

Whose ability? A good competitive player is indistinguishable from a cheater by someone in a lower tier ability. Once again you propose a solution that doesn't work, because you assume that people are generally even to the

Re: Completely unnecessary

[drinkypoo]

"Congratulations, you just coded an unplayable lagfest. This has been tried, this has failed"

This is nonsense.

You don't have to detect cheating before it happens. You can detect it slightly after the fact and then retcon scores and ban players. This is almost as good, much easier, and doesn't create any latency.

Re:

[gweihir]

"Congratulations, you just coded an unplayable lagfest. This has been tried, this has failed"

This is nonsense.

Indeed, it is. But doing it right requires baking security in from the start, and we have seen enough disastrous launches due to cheaters to know that the gaming industry is even less capable of understanding that than the regular software industry.

Re:Completely unnecessary

[Bahbus]

Congratulations, you just coded an unplayable lagfest. This has been tried, this has failed.

False. Most major online competitive games actually already work under a zero-trust model. Though, without working directly on the games themselves, I can't make any assumptions about how thorough their zero-trust models are.

And above all, even with your zero trust model you haven't covered a SHITLOAD of different forms of cheating which do work with zero trust as well as it turns out computers are faster than people.

True. Pure server-side enforcement and authority isn't perfect. But it's biggest weakness is visual cheats based on the data the server sent you. However, kernel level access for an anticheat is still completely unnecessary.

Any time you think something is unnecessary and propose an alternative in an industry that has been battling these problems for decades, and has actual real money on the line (competitive Valorant players earn 6 figure salaries) know that someone has tried your idea and found it wasn't sufficient.

And all those competitions for that real money are offline, in-person, and use tournament provided PCs - so Vangaurd means nothing when money is actually on the line. Not to mention, games like Dota 2 and CS:GO have even *more* money on the line and neither of them find it necessary to run kernel-level anti cheat. Why? Because Vanguard is a over-engineered solution to a problem that A) wasn't that big and B) can be solved in easier ways. Riot is a lazy company with lazy developers. Instead of upgrading their code base and patching the holes that allowed for cheaters to begin with, they created half-baked, inefficient ideas that cause almost as many problems as it helps solve. And they're not going to back down now, because too much money has already been spent on it.

It's like trying to get rid of Denuvo. Players know it causes issues. The game developers know it causes issues. Denuvo knows their product causes issues, but, of course, the company continues to lie and peddle it's shitware to the *publishers* (who know nothing about game design or coding) who still think pirating costs them money. Denuvo isn't going to just pack up and leave on it's own. They will instead continue to lie about their product while hoping to actually get said product improved to support the lie in the meantime. Riot is no different with Vanguard. Both put the cart before the horse. Both made promises about their software before the software was proven to work and now they are stuck chasing that promise that they'll probably never obtain.

Re:

[thegarbz]

False. Most major online competitive games actually already work under a zero-trust model.

Actually major online competitive games work on a minimum trust model. There may not be client side computation, but there is plenty of client side trust involved in how content is displayed to be interacted with.

Virtually every such "zero trust" game has an element of wallhacking for this reason.

Re:

[Bahbus]

Sure, some games do, but many newer games do not. Any games that have working wallhacks has nothing to do with trusting the client, but rather allowing more data than is necessary to be accessed by the client. There is no point in the game locally knowing about or rendering an enemy player on the other side of a wall.

Re:

[Bahbus]

Weird, it's almost like it's the only thing I do.

Re:

[Fly Swatter]

Back in the days of Quake3 modding there were conditions of input that were not humanly possible simply due to the way the math worked out - for a time it was possible to detect a cheat client simply because the turning movements were a distance of '1' when the human input device coding of the official client for the mod made the value start at '2'. You can design game mechanics that can only input distinct ranges of input and detect when that input to the server doesn't fit the restrictions of the design.

Re: Completely unnecessary

[SirSlud]

You dont make multiplayer games for a living. Please stop talking, it's embarassing ... for you.

Re: Completely unnecessary

[badboy_tw2002]

Exactly."is so easy why you not do that".

Re:

[gweihir]

Indeed. This is pure laziness and cheap design on the side of Riot Games, nothing else.

How sad

[JustAnotherOldGuy]

"... a BIOS update requirement that will be imposed on "certain players" following Riot's discovery of a UEFI bug that could allow especially dedicated and motivated cheaters to circumvent certain memory protections."

How sad that anyone would be this motivated to cheat, and even sadder that companies are basically forced to employ more and more draconian measures to combat it, burdening the legit players who just want to enjoy the game.

In conclusion, cheaters suck- they ruin everything for everyone, everywh

Re:

[RitchCraft]

I stopped playing multiplayer games years ago because I can't run my own server and only invite my friends and players I trust into it. Now I just play the single player version of more modern games that require a rootkit on a computer with no Internet access. Yo ho ho and a bottle of rum.

Re: How sad

[AcidFnTonic]

Been playing Donâ(TM)t Starve Together and doing exactly this. Maybe you just try to play bad games meant to appeal to the wrong crowd.

DRM

[Hentes]

Let's stop pretending this has anything to do with cheating. The cat and mouse game has been going on for decades, yet there are more cheaters than ever. Cheating is impossible to stop on the user side, there are always going to be workarounds like players building a literal robot to move the mouse [pcworld.com]. But there is one way that can actually prevent cheating, in fact we've known about it for as long as games existed: playing with people you know and trust. Except you can't, because games don't have directIP and LAN modes anymore. Which makes it pretty clear that game devs don't actually give a fuck about preventing cheating, "anti-cheat" is just a rebranding of DRM.

Re:

[thegarbz]

You're operating under the usual 100% effective fallacy. No players are not en mass building a literal robot to move the mouse. A tiny tiny tiny insignificant portion of players are building such robots and you're unlikely to ever encounter someone going to those lengths to cheat.

Anti-cheat is about preventing the common cheats, that is people doing a google search, downloading and running a program.

But there is one way that can actually prevent cheating, in fact we've known about it for as long as games existed: playing with people you know and trust. Except you can't, because games don't have directIP and LAN modes anymore.

Except that is completely irrelevant. Most games have private modes. You can very much play with just your fr

Re:

[Fly Swatter]

You can set up a password restricted server? I am sure the game cloud industry would be happy to rent you one for a few days.

So...refunds?

[grasshoppa]

Surely, if they're essentially taking the game away from people who paid for it, those people are entitled to a refund, right?

"certain players"? why not have them play on locke

[Joe_Dragon]

"certain players"? why not have them play on locked down systems that are offline, that are at some event center and that are owned and setup by the event staff?

League of Legends is a waste of time

[devslash0]

I used to play LoL a lot. But I've matured to a realisation that it's a massive, toxic waste of time. Your own skill doesn't matter. It's a team lottery while you waste your time and get grey hair.

Re:

[PleaseThink]

If you had fun it wasn't a complete waste. After you've done enough to stay alive, what else is there other than fun and more survival security?

Never enough BS

[WaffleMonster]

There is no game I want to play enough to compel me to jump through ANY of these hoops.

They're missing an opportunity

[Chelloveck]

Seems to me like game developers are going at this the wrong way. You don't force invasive anti-cheat methods on the players... You offer them as a higher tier of service. Sure, the hoi polloi servers are full of cheaters. You don't want that, do you? Well, if your system can pass our 100% Certified Cheat-Free(tm) environment test, run our 100% Certified Cheat-Free(tm) drivers, and pay for premium access to our 100% Certified Cheat-Free(tm) servers, you can compete directly with the other elite gamers! You are an elite gamer, aren't you?

The gamer bros with the 'leet gaming rigs will eat it up and will jump at the chance to prove their 'leetness. Oh, they may complain, but none of them are going to go back to the normal servers. That would be an admission that the only way they won before was by cheating. Meanwhile, people like me who run an 8 year old laptop and only ever go online because even the single-player mode demands it for some reason are perfectly happy playing in the cheap seats, without the intrusive spyware.

* Certified Cheat-Free(tm) is a registered trademark and is not meant as a literal description of the end-user experience.

Stopped playing due to this.

[Vermifax]

I no longer play Riot games due to this. I had a windows pc without TPM that I upgraded to windows 11 and their anti-cheat would no longer allow me to play. I bought a steam deck, and of course their games don't run there either unless you install windows.

They are engineering themselves into less customers to prevent cheaters which they never seem to be able to due regardless of the things they do.

Oh! This is actually very serious.

[sabbede]

Turns out this isn't so much about anti-cheat as it is a severe UEFI vulnerability.