Anti-Cheat Information

Counter-Strike Anti-Cheats:

Anti-cheats are programs designed to detect cheats and deal with cheaters. Anti-cheats come in two main forms, anti-cheat clients and server-side only anti-cheats. Anti-cheat clients usually have a server-side component which they authenticate with to enforce purity of the client. One downside to anti-cheat clients is that they have to be kept up to date by the player, which is tedious and can lead to players avoiding the servers which use the anti-cheat rather than dealing with the inconvenience of downloading it. A server-side only anti-cheat does not require any additional programs or actions from the players to play on the server, as only the server admin has to take care of the anti-cheat mechanism. However, server-side only anti-cheats are usually less effective (producing more false negatives than client side anti-cheats).


Punkbuster: The original client-side anti-cheat
Punkbuster was the first attempt at a client-side cheat prevention. It appeared in mid-2000 and was able to detect some protohacks of the time, but found little use as most players did not want to put up with running yet another program in the background while playing
online, and was rendered nearly useless by OGC’s fast development cycle.

Representatives from Punkbuster then asked for financial and development support from Valve to improve and/or integrate Punkbuster, as it is in Quake 3 and other games, but were turned down. Thus the involvement of Punkbuster with Counter-Strike was over.
It authenticated to the server’s Punkbuster plugin.

OGC particularly impressed by its circumvention of Punkbuster’s screenshot function: when the server admin requested a screenshot of the Punkbuster client, an alarm sound would ring, and for the instant the screenshot was taken, all traces of the cheat’s presence were removed. This function of Punkbuster however had some limited success against cheaters who used bugs (Or features, depending on the point of view) in their drivers to utilize as an effective wallhack.


CSGuard: Server-side file and variable checking
CSGuard was later renamed to HLGuard, as it was redesigned to protect other Half-Life mods, not just Counter-Strike.

Favored by many server admins, because it would not require any special programs running on the client’s computer, a requirement that usually reduced the number of players on a server.

An interpreter for its own script language that utilized a facility of the Half-Life protocol: the ability of the server to execute console commands on the client. It would simply check for existence of certain variable names and files, that were exactly defined in the plugin’s config file. Because of the extendable script, cheats with known filenames and variables could quickly be added without requiring the server to restart.

This approach is completely ineffective against modern multihacks, which usually store no information in (predictable) cvars, nor have their files within the Half-Life directory structure. CSGuard always has, and always will be, completely ineffective against private hacks.

Still it is in widespread use on many servers today, as it has few drawbacks and can detect many older cheats quite reliably


VAC: Valve’s Anti Cheat
Essentially a client side anti-cheat mechanism that is integrated in the Half-Life engine and automatically kept up to date, it combines the ease of use of server-side anti-cheats with the detection rate of a client-side anti-cheat.

A few months after introduction of VAC, Valve began banning detected cheaters from all servers that are secured with VAC. To today, this is arguably the most effective way to keep public servers safe - While a cheat may not be detected immediately, a cheater is likely going to use a different cheat now and then, at last with a new version of Counter-Strike—a positive hit of VAC will remove the cheater’s ability to play on secure servers for a long time however.

The number of valid CD keys, which are required to play on both WON and Steam, is limited and not computable. Because of the availability of huge lists of valid CD keys, there have been rumors about hacking incidents where CD keys were extracted from WON, but it is much more likely that the majority of such freely available CD keys originate from cheat software which transmits the CD key to the author. Valve also invalidate CD keys which they find through the various channels on the internet, so the new lists stopped being made available. It can be safely assumed that at least some cheat authors have a near unlimited supply of valid CD keys.

Valve has also been accused, especially by the cheater community, that they were only banning CD keys to force players to buy a new copy of Counter-Strike or Half-Life.
While still mostly based around detection of known cheats, and thus mostly ineffective against private hacks VAC has managed to allow a mostly cheat-free game on most secured public servers, unlike C-D servers - where the detection / prevention rate of cheats may be much higher, but all cheaters are forced to play on after they were banned from VAC-secured servers, and they can simply try again if one cheat is detected/prevented.


HackCam
There is a lot of hope being placed in a program called HackCam which does not use standard methods of cheat detection, but uses advanced heuristic’s to detect the actions of cheating players and score them accordingly. Thus far the methodology appears sound, but the program is yet to be widely released, and there is a fair bit of concern about CPU/Server overhead when running the Hack Cam software as a server side add-on. Additionally, the algorithm can not only produce false negatives but also false positives.

Unfortunately lawyers have got involved with HackCam’s development and the one and only main developer has been shipped overseas as well. These turn of events, seemed to have caused the release of HackCam to be completely stalled, with no ETA as to when, if ever, it will be released.


Cheating-Death: Prevention instead of detection
Cheating-Death is praised for its ability to prevent whole classes of cheats, rather than detect single instances of such a class. It tries not to punish a cheater but instead either prevents his connection to a C-D secured server for as long as a detected cheat is active, or tries to render cheats useless.

It attempts to render cheats useless by wedging itself between the mod and the engine, and giving the mod (where presumably a cheat hooks) false information about positions to confuse aimbots. In case of wallhacks, it draws players behind walls in the wrong position (usually several hundred meters above their actual position).

Not banning anyone permanently, and not allowing the server admins to know why a certain player disconnected, hampers the effectivity of C-D as a means to keep a server 'pure'. A cheater may simply test through various cheats until he finds one, or once 'caught', wait for an update from the cheat’s author

While trying to disable whole classes of cheats rather than detecting single instances, there were repeatedly cheats C-D proof despite using exactly a mechanism C-D was supposed to prevent. Cheat authors seem to be able to create single instances which appear to be able to circumvent C-D with relative ease, thus the true effectivity of C-D is highly disputed. There are presumably hundreds of different, private cheats which all are able to circumvent C-D. And if someone is caught, there is no punishment - one can go and simply find a new, C-D proof cheat.

Still, it remains the premier option of anti-cheat means for server admins which prefer not use VAC to secure their server for one reason or another, for example NOWON servers. But because of the listed problems, and because cheaters detected by VAC are forced to play on C-D or insecure servers, the cheater rate of many public C-D servers is estimated as high as 40% (2004)


ScreenShotClient: Players catching cheaters
ScreenShotClient (SSC) uses a different approach to most other anti-cheat programs.
By taking periodic screenshots of a client's game screen, other players may be able to detect cheats by observing suspicious material.

When you connect a server, the server tries to SSC authenticate you (by taking a screenshot). If you pass, the client begins taking screenshots and uploading them to a webserver at specific intervals (usually 5 minutes).

The client submits the screenshots to a server, where they are publicly available to anyone interested (depending on connection and the size of the image) within 5 seconds to 1 minute.

SSC proof hacks exist, but are mainly private. As the interval of screenshots can be varied, a SSC-proof hack would either need to warn a cheating player when a screenshot is about to be taken, or be server-specific.

SSC does have bugs. For example, the server might kick you for not being SSC authenticated, even though you have SSC enabled.

SSC is effective at detecting wallhacks and ESPs, but is relatively ineffective at detecting hacks that cannot be seen in screenshots, like aimbots and speedhacks.

SSC is usually not compatible with other anti-cheat programs such as Valve Anti-Cheat.

SSC is mostly used in finnish servers using Admins.fi, the UnitedAdmins's finnish part, as they have an IRC channel where you can report proof (CS recorded demos and SSC shots) of cheating, and they will be added to an universal banlist, where they will be banned on all servers attached to Admins.fi. The reason for that is, because anyone can give a shot up (not only admins) every shot including a cheater will be reported in some time, so all cheaters using hacks on Admins.fi SSC-using servers will be banned.

SSC is also used a lot in clan matches and other banlist-based things that need proof.


Cheating detection
Cheating detection describes detection of the actual cheating, rather than the detection of the hacks. Theoretically in Counter-Strike, hacking approaches being undetectable, but any experienced player himself can manually detect the cheating in effect to a high probability. Cheating detection thus means the automated search and identification for the effects of cheating.

The first working effect detection was present in CSGuard, which allowed the server to continuously track the movements of the player’s crosshair and tried to detect suspicious, repeated sudden lock-on headshots.

CSGuard’s aimbot detection was miserable, as the alarm rate was almost the same with a well trained player and a player using an aimbot set up for stealth. It was hardly ever used, and the function has supposedly been removed from HLGuard, CSGuard’s successor.

HackCam, which is rumored to become a supplemental anti-cheat mechanism to VAC2, Valve’s anti-cheat for the source engine, uses a wide range of elaborate detection methods to discover both ESP and aimbots, and awards points for suspicious actions.
One disadvantage of such elaborate cheating detection is the greatly increased resource consumption on the server, as the software continuously analyzes all behaviors that a player exhibits for suspicious actions.

The other problem is the realistic possibility of false positives and false negatives, and the relative arbitrariness of what may be considered a cheat-indicating behavior or just luck. The creators of hackcam claim that all CAL-I players remained below a 70 points mark, where as more than 65 points would mean 'suspicious' and more than 85 points would indicate a very high probability of cheating. However it is questionable if that is means the method is not producing false positives, or if it produces false negatives on the CAL-I players.


Information largely thanks to Wikipedia.
CategoryCSAC