over 5 years ago - /u/GDFireFrog - Direct link

Context and TL;DR

A thread was started in this subreddit that started a bit of a scare regarding our announced anti-cheat solution EQU8, which is a new solution made by Swedish startup Int3 Software. The main reasons why we chose EQU8 were that we experienced a high level of engagement and support, they were very receptive to our suggestions and their product doesn’t suffer from excessive loading times, unlike the only other solution that fit our requirements. In the thread it was claimed that EQU8 is excessively intrusive and some people were uncomfortable with a new product. We made as thorough an investigation into the claims as we possibly could with our limited time and resources, and we have resolved those concerns to our satisfaction. We found both the EQU8 product and their company to be as privacy-mindful as they could be given their product’s function. In this thread we will go through our findings and other background information.

The client-side anti-cheat market

Some people have asked in previous threads why we went with EQU8 as opposed to certain other anti-cheats, I’ll go through the options that people have mentioned. Note that this is a discussion of client-side anti-cheating, we are not getting into custom-made server-side or human-powered features that we have developed or plan to develop in-house, or 3rd party solutions that we may also use on the server side. (e.g: we’ve reached out to FairFight, which is a server-side solution, but this is irrelevant to this discussion: we could still have that and EQU8 working concurrently.)

  • Valve Anti-Cheat (VAC) from Valve Corporation

Too easy to bypass and out of consideration right away. Not to be overly critical of Valve’s system here: it makes perfect sense for them to have something extremely lightweight as a default system for Steam games. I think VAC has been great for what it is, i.e: the barest possible solution in terms of system privileges that no user could reasonably be spooked by. Unfortunately, it’s not the kind of thing that we need for Diabotical. While yes, VAC is used on very popular Valve multiplayer games, it relies heavily on known cheat signatures, so we’d expect a much lower detection rate than it has on a popular Valve in-house game like CS:GO, where there’s an opportunity and incentive to add the known cheats for those specific games to their database. It would be unreasonable to expect Valve to keep up with known cheat signatures for every game they distribute, and even if that was possible, this would still be only viable for well-circulated cheats. While CS:GO seems to get along fine (depending on whom you ask) with a combination of Overwatch and a weak client-side anticheat, we’d rather have that additional community oversight on top of a strong anti-cheat. Also, as a 3rd party game, VAC would be even weaker for us (this is just my educated guess). The rest of anti-cheats below all use system-wide privileges to detect both known signatures and a wider variety of events that would suggest the presence of a cheat even if it’s very rare and not part of any database.

  • BattleEye (BE) from BattleEye Innovations

As somebody commented in one of the previous threads, BattleEye seems to have a rep for being very effective at detection. However, it apparently comes at a cost, we found consistent reports about BattleEye being considerably heavier than Easy Anti-Cheat in its performance impact, so we discarded it early. At some point after release I would still like to contact them, test this for ourselves, and inquire if perhaps they have planned a future lighter version. As I said in a previous post on the issue, I would have liked to have more time and resources to do more objective testing ourselves rather than relying on user reports from other games. The feedback seems overwhelmingly consistent that EAC is lighter though, and that was a very important criteria for us.

  • Easy Anti-Cheat (EAC) from Epic Games

Easy Anti-Cheat is generally another good anti-cheat system that is also considered lightweight. In Fortnite, where both systems are used (not concurrently, users are assigned either one randomly on an account basis, it seems), users reported EAC as being lighter than BE. One issue we did encounter is that EAC was frequently reported to slow down the loading time of the game significantly. This was noticed by users in those games where you can turn off EAC, making a measurement of the impact possible. We did some objective testing in EAC games to make sure of this.

We benchmarked launch times in 4 games that you can start with or without EAC. We chose games with different engines to cover more bases: SCUM (Unreal Engine 4), Vermintide II (Stingray), 7 Days to Die (Unity) and Watch Dogs 2 (Disrupt). On average, EAC added 33 seconds to loading time on a cold launch (+36% of increased load time) and 21.7 seconds (+71% of increased load time) on a hot launch.

Overall EAC is also a nice product (and team) that I like which we could potentially work with but I’d like them to address the loading times. A specific concern is that we could be affected by this issue significantly: because of community contributions, a typical distribution of our game may accumulate over time a lot of files in the cache, and slow IO operations usually correlate with the amount of different files that are being read.

  • EQU8 from Int3 Software

We went with EQU8 mainly because we were getting a much higher level of availability than with other vendors that we contacted and it seemed to be on parity when it comes to effectiveness/performance with other options. This was confirmed by the studios that we contacted, which have also worked with other vendors previously, so they had a frame of reference. In the second place EQU8 doesn’t affect loading times significantly. This may seem like a minor issue to some but we have put a bit of work on making sure that the game loads fast so it’d be a shame if it became as slow to load as modern games usually are, just because of the anti-cheat. Not a big part of the consideration but a nice extra is that we help put a new product into the market. As things are right now if the whole industry were to coalesce under EAC, there would be much less incentive for them to keep dedicating resources to improve the product and promptly update it for new cheats, which is a concern on the long term. (Note that there is a long history of products in the anti-cheat category becoming abandoned or semi-abandoned.) EQU8 is similar enough to EAC (both being lightweight solutions) that it should force some competition.

We may still work with any of these options in the future, the notion of implementing multiple solutions is not that crazy; consider for example a scenario in which we have EQU8 for general use, then for online tournaments we have those players launch with an alternative anti-cheat solution to throw cheaters off, since now they have to bypass both systems for the same cheat and they don’t get to test it with the secondary system since it would only be enabled for tournaments. The current pricing model that some of these companies offer may not accommodate this but it is something that I plan to inquire about. Another reason to use a second system would be if it’s necessary to support another platform, and we are fine with doing that. As I’ve explained in other posts, integrating these solutions is fairly easy.

Landfall Studios (TABG developers)

We contacted Landfall studios, the creators of Totally Accurate Battlegrounds, a game that uses EQU8 and the community that the original thread creator came from and who were kind enough to spend some time answering our questions. We talked to one of the programmers and the community manager. Overall they seem pretty satisfied with EQU8. They told me that most of the issues that they had stemmed from the fact that they had to hastily put multiplayer support and anti-cheat together in 3 months. For context, initially they had a single player game, and they put together a multiplayer battle royale game as an April Fools’ stunt that eventually took off with a playerbase of its own.

They are happy with the level of support that Int3 Software provided to them compared to their previous solution. They noted that they were able to work with EQU8 programmers without waiting on a ticket system. Regarding the effectiveness of EQU8, they say it decreased cheating significantly. I was given some figures that I cannot share but it was a dramatic improvement, and their situation was difficult to start with by having a multiplayer FPS game made in unity (this exposes the game further for a variety of technical reasons that I won’t get into.)

Feedback from the TABG Community

We reached out to the TABG community through their subreddit and a discord server that we were directed to by a reddit user who had concerns about EQU8. We conducted interviews of 9 players.

  • Some people expressed privacy concerns, but when we asked them to elaborate they pointed us to evidence provided by Sen7086 that I’ve addressed and cleared (see details in the next chapter).

  • Regarding the ability to detect cheaters, some users thought EQU8 improved the situation significantly and some users had nothing to say.

  • Some users were annoyed due to auto-kicks and auto-bans that they attributed to EQU8. Landfall told me that due to the quick growth of the game at one point (all-time peak of 29,000 concurrent players) they had to resort to some automation, where there was a system made by them that would first kick you, then kick you for increasingly longer periods until you would finally be banned. This was triggered in response to certain events detected by EQU8, but it is not part of the EQU8 solution.

  • Three users told us the game became slower on the update where EQU8 was introduced. I asked the Landfall programmer about this and he thinks this must be related to some tweaking that was made to the asset streaming settings which happened in the same patch. (E.g: the size of chunks of the areas that are preloaded in the background.)

  • Some users had broader philosophical objections to the way anticheats like EQU8 work which would apply to any other solution that is at least somewhat effective.

All in all, I didn’t find anything that is of concern after closer analysis, and it felt the feedback was about as good as you’d get with any other effective anti-cheat solution in a similar situation.

Sen7086’s incriminating log file

I also inquired about and analyzed Sen7086’s log file that shows the Totally Accurate Battlegrounds process reading a sniffer capture file that Sen had previously recorded which was located in his Documents folder. About a year ago he showed this log to Landfall and Int3 Software. Both Int3 and Landfall have told me that they looked at it. Unfortunately, they could not explain those file reads as EQU8 doesn’t read that kind of file (or personal files for that matter), leaving Sen unsatisfied and wary of the solution. There are more details below about what exactly EQU8 reads in another section.

Upon closer inspection of the log I’ve been able to clear EQU8 of any concerns to my satisfaction. It turns out that there was another application in the log that was shown to be also reading the same personal files. This application is Process Monitor which is provided by Microsoft. Sen had this application turned on but this application cannot open that kind of file and he certainly wasn’t trying to open them with that application either (as I’ve confirmed with him). This application (Process Monitor) also doesn’t do that kind of file reads as part of its normal operation. As it’s unlikely that both Microsoft and Int3 Software are trying to maliciously read Sen’s file, what this indicates is that at that point in time there was process spoofing in effect in that system; i.e: a malicious process was reading Sen’s personal files while spoofing the process IDs of other running applications to camouflage the activity, probably a virus or other form of malware. The files would presumably have been targeted simply because they were in the "Documents" folder which is an obvious location of interest. This is an article that explains PID spoofing: https://www.countercept.com/blog/detecting-parent-pid-spoofing/.

Unnamed French Studio

Through Int3 Software we also reached out to a larger studio which needs to remain unnamed, that unlike us, had the developer time to test EQU8 against another system side-by-side. These are the key points that they raised:

  • They liked the flexibility and transparency of the platform vs the blackbox approach of the other solution, i.e: the ability to customize which events to watch for and to know why a player was flagged.
  • Performance-wise it “matches the performance of the competition”.
  • They found the EQU8 staff very attentive with extremely fast response times.

What EQU8 reads and transmits

I reached out to Int3 Software to ask them about what EQU8 accesses and they gave me the following list which I quote verbatim:

EQU8 starts and exists with the game (no dormant components). EQU8 monitors the system while in-game and looks for suspicious activity from :

  • Integrity of game environment (e.g. memory alterations)

  • Integrity of game related files (specified by the Studio)

  • Running software

  • Specific events that targets the game (e.g. dll is injected into the game, debugger attached)

If EQU8 finds a suspicious process/component the report may include information like : reason (e.g. "injected into game"), filepath (anonymized, for example: "C:\Users\MY_NAME\aimbot.dll" is replaced by "5\aimbot.dll"), hash, file certificate, OS version, system architecture, hardware signature. Furthermore, as the game account identifier is anonymized (from EQU8's perspective), only the Studio know the actual account to which a specific event belongs.

As an aside to the privacy discussion, one reason I’m very relaxed about any privacy concerns is that this is a company in the EU. Companies in the EU are subject to fines of up to 4% of annual global turnover or 20 million EUR, whichever is greater, if personal information is mishandled. I am fairly confident that Int3 are not daft enough to engage in any shady practice in this regard. Not to say that privacy violations disappeared in the EU in the wake of data protection legislation, but this is just a normal tech startup that is mindful of their reputation and it’s apparent from my interactions that privacy is one of their main areas of focus.

Their solution is also less blackboxy than other solutions and as the game programmer I see what’s going on fairly transparently, which is another reason why I’m not concerned in this regard.

Conclusion

We are satisfied that Int3 Sofware are a very privacy-minded company. If any issue comes up with EQU8 after release, we will just change to another solution, so it’s not like we are making a big commitment, these solutions are easy to integrate and the pricing model is usually on a monthly-basis making it possible to switch at any point during the lifecycle of the game. I hope this satisfies the concerns of the community. (Sorry that this update took some time, besides being a bit busy at the moment, it took some time to contact all the parties involved and then we had to contact them again to show them this post to make sure we are not misrepresenting anything.)

PS

Corrections are welcome if we’ve misrepresented any technical fact and we’ll update the post with said corrections should it be necessary. We’ve tried to check every fact to the extent of our abilities and resources, but we definitely would have preferred to have more time to get to the bottom of some things, like for example when expounding on the shortcomings of different products. Our conclusions are based on a mix of general technical knowledge, user reports, objective testing, vendor-provided information, and simple common sense, and as such we may have gotten some details wrong, but we are confident in our general conclusions. Since we have made some claims about different products we will be updating this post for several years should anything change (for example if some vendor addresses one of the issues mentioned here) so that we don’t leave any misinformation or outdated information on the public record that could negatively affect any of these companies.

External link →