Jump to content
Corsair Community

ICUE and Link being detected via Anti Cheat


Matt-G

Recommended Posts

Hello

 

There is an new Anti Cheat called Vanguard that Riot Game has created. It is a Kernel Based Anti Cheat that starts along side Windows to detect Cheat & System Vulnerability's like out of date drivers, Software and Exploits.

 

It appears that Corsair Linked and ICUE is being detected because of the CPU-z Version it is running.

 

Corsair Link

 

I know Corsair Linked is old but I like the software

 

Before Detection

EWsf1pqUwAIXyhV?format=jpg&name=large

 

Vanguard Detection Error

EWseN-sU8AIdM2I?format=png&name=small

 

Linked Software after Vanguard (Fan were running at 100%)

EWseN-rUEAA3O8Y?format=jpg&name=medium

 

ICUE

 

I have installed ICUE to see if it would fix the issue but nope I just get another one with different CPU-z Version.

 

 

Vanguard ICUE Detection

EWs6WymWkAA0XXY?format=png&name=small

 

After Detection (This was full of Motherboard, GPU and RAM stats but they vanished. Fans did not change how ever this time.)

EWs6WysXsAAzcOP?format=jpg&name=large

Edited by Matt-G
Link to comment
Share on other sites

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

Battleye pops ICUE as well. It is many games that are having an issue with ICUE now. I just keep a shortcut close and relaunch it after the game loads.

 

That does not work, The new Anti Cheat boot up before anything and looks for out of data Software and Drivers that have vulnerability's. This is to prevent cheat on the Kernel Level of Windows.

 

But the thing is ICUE is being hit hard because they are using an very old versions of CPU-z for monitoring Temps so when it gets detected it block all temp and after a cool boot of windows you also lose Fan Profiles and Pump Speed control

Link to comment
Share on other sites

The reason iCUE (and NZXT CAM and some others) are getting hit is because they're using a cpuz driver from 2008 which has a vulnerability that allows escalation of priviledges and information disclosure that was reported in October of 2017. Link for those interested.

 

This is definitely a fix that has to come from Corsair, iCUE should not be running a Kernel Driver from the last decade with vulnerabilitiesthat are known for 2 years.

 

It's also rather ironic that this anticheat, which has been critisized quite a bit lately (and in part, for good reason) is the one that actually points out that we have a security hole like this.

Edited by Pan32
  • Confused 1
Link to comment
Share on other sites

The reason iCUE (and NZXT CAM and some others) are getting hit is because they're using a cpuz driver from 2008 which has a vulnerability that allows escalation of priviledges and information disclosure that was reported in October of 2017. Link for those interested.

 

This is definitely a fix that has to come from Corsair, iCUE should not be running a Kernel Driver from the last decade with vulnerabilitiesthat are known for 2 years.

 

It's also rather ironic that this anticheat, which has been critisized quite a bit lately (and in part, for good reason) is the one that actually points out that we have a security hole like this.

 

^ no other words needed.

Hopefully Corsair will fix this issue. MSI already did it...

 

Futher more, your last sentence is just 100% true. All the people who were complaining, feel bad for them...

 

Edit: Latest version of CPU-Z also has an outdated driver. Try it out for yourself ;-)

Edited by jpdsc
Link to comment
Share on other sites

^ no other words needed.

Hopefully Corsair will fix this issue. MSI already did it...

 

Futher more, your last sentence is just 100% true. All the people who were complaining, feel bad for them...

 

I have sent Riot Games & Corsair a Support Ticket with info and screenshots today.

 

It's just rather strange that ICUE is being flag by anti cheats

Link to comment
Share on other sites

I have sent Riot Games & Corsair a Support Ticket with info and screenshots today.

 

It's just rather strange that ICUE is being flag by anti cheats

 

It's not iCUE, it's CPU-Z which has an outdated driver. Vanguard blocks this driver due to it's vulnerability.

It is actually CPU-Z who needs to fix the issue, but it could be Corsair has an own fix for this by using something else than CPU-Z.

Link to comment
Share on other sites

It's not iCUE, it's CPU-Z which has an outdated driver. Vanguard blocks this driver due to it's vulnerability.

It is actually CPU-Z who needs to fix the issue, but it could be Corsair has an own fix for this by using something else than CPU-Z.

 

It is Corsair that needs to update there software, They are using CPU-z as a component with there software to monitor temp.

 

NZXT CAM is also having the same issue.

Link to comment
Share on other sites

Edit: Latest version of CPU-Z also has an outdated driver. Try it out for yourself ;-)

 

The issue was never fully corrected. From https://github.com/shareef12/cpuz:

 

As of version 1.81, the driver provided with CPU-Z has been patched to limit the set of callers that can open its device object and some IOCTL implementations have been removed. On requests to open the driver's device object, it will check to see if the current process has the SeLoadDriverPrivilege enabled. If this privilige is missing or disabled, the driver will reject the request with STATUS_ACCESS_DENIED. Note that when running as an Administrator, it is trivial to enable this privilege from usermode. Furthermore, the IOCTL to read control registers has been removed (although the physical memory read/write implementations remain). Without the ability to read the page table base from cr3, the exploitation method in this project is no longer feasible. Note that the CPU-Z driver provides numerous other IOCTLs that could be used for exploitation, such as reading from and writing to arbitrary model-specific registers.

 

Seems like the correct way foward is to just not rely on this specific driver.

Link to comment
Share on other sites

Thanks everyone for bringing attention to this issue. We are currently engaging with CPUID to resolve this issue since we utilize their SDK to detect system monitoring. I'll have an update once I know more information.

 

So when you think a patch will be available? It's impossible to play games/work with heavy softwares if the system can't control the pumps/fans/temps.

 

This is a high priority thing.

Link to comment
Share on other sites

At the moment as workaround i disabled the Corsair Service from services.msc and deleted the cpuz folder in windows temp folder, for monitoring using msi afterburner so vanguard is not giving me any issues until this won't be patched
Link to comment
Share on other sites

Came to this conclusion that it was a bad version of cpuz on my own. Searched to find if anyone has acknowledged this yet

 

Following this, expecting some follow up from Corsair. This is...not a great look. Update your software's dependencies.

Link to comment
Share on other sites

i reached out via twitter an this is what corsair support said

 

"We use the most current CPUz data. This will happen to all other software using CPUz data, not just ours.

 

The anti-cheat thinks it may be a cheat related file unfortunately, Vanguard will have to whitelist the file."

 

I don't believe that's the case because Icue uses cpuz149_x64.sys to monitor system temps and voltages and that cpuz149 driver is vulnerable and exploitable hence why vanguard blocked it will vanguard whitelist cpuz149 i would doubt it.

Link to comment
Share on other sites

i reached out via twitter an this is what corsair support said

 

"We use the most current CPUz data. This will happen to all other software using CPUz data, not just ours.

 

The anti-cheat thinks it may be a cheat related file unfortunately, Vanguard will have to whitelist the file."

 

I don't believe that's the case because Icue uses cpuz149_x64.sys to monitor system temps and voltages and that cpuz149 driver is vulnerable and exploitable hence why vanguard blocked it will vanguard whitelist cpuz149 i would doubt it.

 

 

The version of CPU-z that ICUE is currently using is Version 1.49 (cpuz149) the code is from 2008 that has exploits and vulnerability's leaving a hole in the system.

 

Official CPU-z is currently on Versions 1.92 last updated this week.

 

I don't think Riot Games will add anything to a whitelist because Vanguard is apart of an online data base that has know exploits and vulnerability's that allow cheats though the code. So it is down to the Vendors to patch there software or be left with complaints.

 

Corsair have also acknowledged they are looking in to this issue.

https://forum.corsair.com/v3/showpost.php?p=1043834&postcount=12

 

NZXT have acknowledged the issues and are also working on a fix

 

This is also a good read on why new Anti Cheats are going to be using Ring 0

https://secret.club/2020/04/28/anticheat_blocking_overclocking_tools.html

Edited by Matt-G
Link to comment
Share on other sites

This is interesting to see what actions corsair takes since my whole system is corsair to the teeth. Vanguard actually is doing a good job so far, the health of my system is way more important.

 

"A solution for some of the companies would be to simply remove the unnecessary code like mapping physical memory, writing to model-specific registers, writing to control registers, and so on. Maintaining the read-only of thermal sensors and other component related data would be much less of an issue." - https://secret.club/2020/04/28/antic...ing_tools.html

Link to comment
Share on other sites

Waiting a Fix, because I don't want ro risk anything... all my fans settings are based on core CPU T°C... and it doesn't work at all when vanguard is installed.

 

Vanguard or corsair with CPUID should find a solution quickly it's not very nice to but lots of system in bad situations !

Link to comment
Share on other sites

Waiting a Fix, because I don't want ro risk anything... all my fans settings are based on core CPU T°C... and it doesn't work at all when vanguard is installed.

 

Vanguard or corsair with CPUID should find a solution quickly it's not very nice to but lots of system in bad situations !

 

Why not change it to be based on your AOI temp (if you use Corsair) for example? That works for me...

Link to comment
Share on other sites

The version of CPU-z that ICUE is currently using is Version 1.49 (cpuz149) the code is from 2008 that has exploits and vulnerability's leaving a hole in the system.

 

Official CPU-z is currently on Versions 1.92 last updated this week.

 

I don't think Riot Games will add anything to a whitelist because Vanguard is apart of an online data base that has know exploits and vulnerability's that allow cheats though the code. So it is down to the Vendors to patch there software or be left with complaints.

 

Corsair have also acknowledged they are looking in to this issue.

https://forum.corsair.com/v3/showpost.php?p=1043834&postcount=12

 

NZXT have acknowledged the issues and are also working on a fix

 

This is also a good read on why new Anti Cheats are going to be using Ring 0

https://secret.club/2020/04/28/anticheat_blocking_overclocking_tools.html

 

The comment from NZXT is really funny. They are saying like it is Vanguard's fault while it is clearly not.

CPU-Z has a vulnerability where apparently cheat devepers are taking advantage from; luckily for us, Vanguard caught this and blocked the program.

Link to comment
Share on other sites

The version of CPU-z that ICUE is currently using is Version 1.49 (cpuz149) the code is from 2008 that has exploits and vulnerability's leaving a hole in the system.

 

Official CPU-z is currently on Versions 1.92 last updated this week.

 

I don't think Riot Games will add anything to a whitelist because Vanguard is apart of an online data base that has know exploits and vulnerability's that allow cheats though the code. So it is down to the Vendors to patch there software or be left with complaints.

 

Corsair have also acknowledged they are looking in to this issue.

https://forum.corsair.com/v3/showpost.php?p=1043834&postcount=12

 

NZXT have acknowledged the issues and are also working on a fix

 

This is also a good read on why new Anti Cheats are going to be using Ring 0

https://secret.club/2020/04/28/anticheat_blocking_overclocking_tools.html

 

 

I downloaded the newest CPUZ version and it comes packaged with the old vulnerable driver.

I know it is confusing because the naming convention would imply that the overall version must be old..

but in this case it looks like cpuid team never updated this vulnerable driver and just packaged it in even there newest release.

Link to comment
Share on other sites

I wanted to chime in here and say that I have same problem with iCue.

 

Contacted Riot, they gave me a few options on how to fix it and none worked. I will be contacting them with logs and asking if they can whitelist it. Otherwise we will have to wait for Corsair to fix it.

 

Also, related but unrelated... In same week when Vanguard, iCue and FACEIT AC were updated, that is when the problem started.

 

Vanguard does not like iCue's CPUz currently and FACEIT AC does not like Afterburner (newest version) for some unknown reason. FACEIT AC wouldn't even lunch, after few reboots, safe mode uninstalls and some tinkering, I got FACEIT AC to work, but Vanguard is impossible if you want your iCUE to work properly. My CPU was even cooking once (as I forgot to edit fan curves since they were based on CPU temp). Now I put my fan curves to be based on AIO temps, and AIO is on extreme (just in case).

Link to comment
Share on other sites


×
×
  • Create New...