Riot Vanguard Testing

There has been a lot of speculation about Riot, their new game Valorant, and their new anticheat / chinese root kit, Vanguard. I have seen a lot of FUD about this feature but I haven’t seen what I think is a level headed analysis of what it actually does. I am interested in installing the software into a clean windows 10 VM and then running wireshark to try and see what kind of traffic there is at idle and system startup. I have never done this kind of analysis before but I do think I have the resources to make it happen. I have a fortinet firewall and can create vlans, do SRIOV to give the VM a single physical NIC, do SSL offloading and then just watch the traffic. Beyond the networking side though what could be done within OS to prove that vanguard is running and doing things locally even when the game is not running. I am thinking something like Procmon to just monitor for changes? That seems a little broad and im picturing having to filter a lot of noise with that method. Given that the vgk.sys file for vanguard is a system driver is there a way to monitor what drivers are doing?

I would appreciate any input either that I am on the right track or any suggestions to improve methodology to get to the bottom of this.

I don’t think Vanguard runs in VM’s, nor will it let you run Valorant in a VM.

1 Like