Matt-G Posted April 28, 2020 Share Posted April 28, 2020 (edited) Hello There is an new Anti Cheat called Vanguard that Riot Game has created. It is a Kernel Based Anti Cheat that starts along side Windows to detect Cheat & System Vulnerability's like out of date drivers, Software and Exploits. It appears that Corsair Linked and ICUE is being detected because of the CPU-z Version it is running. Corsair Link I know Corsair Linked is old but I like the software Before Detection Vanguard Detection Error Linked Software after Vanguard (Fan were running at 100%) ICUE I have installed ICUE to see if it would fix the issue but nope I just get another one with different CPU-z Version. Vanguard ICUE Detection After Detection (This was full of Motherboard, GPU and RAM stats but they vanished. Fans did not change how ever this time.) Edited April 28, 2020 by Matt-G Link to comment Share on other sites More sharing options...
KILLER_K Posted April 29, 2020 Share Posted April 29, 2020 Battleye pops ICUE as well. It is many games that are having an issue with ICUE now. I just keep a shortcut close and relaunch it after the game loads. Link to comment Share on other sites More sharing options...
Matt-G Posted April 29, 2020 Author Share Posted April 29, 2020 Battleye pops ICUE as well. It is many games that are having an issue with ICUE now. I just keep a shortcut close and relaunch it after the game loads. That does not work, The new Anti Cheat boot up before anything and looks for out of data Software and Drivers that have vulnerability's. This is to prevent cheat on the Kernel Level of Windows. But the thing is ICUE is being hit hard because they are using an very old versions of CPU-z for monitoring Temps so when it gets detected it block all temp and after a cool boot of windows you also lose Fan Profiles and Pump Speed control Link to comment Share on other sites More sharing options...
KILLER_K Posted April 29, 2020 Share Posted April 29, 2020 Battleye isn't that bad. It just resets some or all of your colors, maybe your headphone stand and your keyboard. But it largely depends on the game though. Hopefully, they will do soemthing about it soon. Link to comment Share on other sites More sharing options...
Pan32 Posted April 29, 2020 Share Posted April 29, 2020 (edited) The reason iCUE (and NZXT CAM and some others) are getting hit is because they're using a cpuz driver from 2008 which has a vulnerability that allows escalation of priviledges and information disclosure that was reported in October of 2017. Link for those interested. This is definitely a fix that has to come from Corsair, iCUE should not be running a Kernel Driver from the last decade with vulnerabilitiesthat are known for 2 years. It's also rather ironic that this anticheat, which has been critisized quite a bit lately (and in part, for good reason) is the one that actually points out that we have a security hole like this. Edited April 29, 2020 by Pan32 1 Link to comment Share on other sites More sharing options...
jpdsc Posted April 29, 2020 Share Posted April 29, 2020 (edited) The reason iCUE (and NZXT CAM and some others) are getting hit is because they're using a cpuz driver from 2008 which has a vulnerability that allows escalation of priviledges and information disclosure that was reported in October of 2017. Link for those interested. This is definitely a fix that has to come from Corsair, iCUE should not be running a Kernel Driver from the last decade with vulnerabilitiesthat are known for 2 years. It's also rather ironic that this anticheat, which has been critisized quite a bit lately (and in part, for good reason) is the one that actually points out that we have a security hole like this. ^ no other words needed. Hopefully Corsair will fix this issue. MSI already did it... Futher more, your last sentence is just 100% true. All the people who were complaining, feel bad for them... Edit: Latest version of CPU-Z also has an outdated driver. Try it out for yourself ;-) Edited April 29, 2020 by jpdsc Link to comment Share on other sites More sharing options...
Matt-G Posted April 29, 2020 Author Share Posted April 29, 2020 ^ no other words needed. Hopefully Corsair will fix this issue. MSI already did it... Futher more, your last sentence is just 100% true. All the people who were complaining, feel bad for them... I have sent Riot Games & Corsair a Support Ticket with info and screenshots today. It's just rather strange that ICUE is being flag by anti cheats Link to comment Share on other sites More sharing options...
diogo10 Posted April 29, 2020 Share Posted April 29, 2020 Same problem here. Fix it otherwise we cannot continue to use your software/hardware. Link to comment Share on other sites More sharing options...
jpdsc Posted April 29, 2020 Share Posted April 29, 2020 I have sent Riot Games & Corsair a Support Ticket with info and screenshots today. It's just rather strange that ICUE is being flag by anti cheats It's not iCUE, it's CPU-Z which has an outdated driver. Vanguard blocks this driver due to it's vulnerability. It is actually CPU-Z who needs to fix the issue, but it could be Corsair has an own fix for this by using something else than CPU-Z. Link to comment Share on other sites More sharing options...
Matt-G Posted April 29, 2020 Author Share Posted April 29, 2020 It's not iCUE, it's CPU-Z which has an outdated driver. Vanguard blocks this driver due to it's vulnerability. It is actually CPU-Z who needs to fix the issue, but it could be Corsair has an own fix for this by using something else than CPU-Z. It is Corsair that needs to update there software, They are using CPU-z as a component with there software to monitor temp. NZXT CAM is also having the same issue. Link to comment Share on other sites More sharing options...
Pan32 Posted April 29, 2020 Share Posted April 29, 2020 Edit: Latest version of CPU-Z also has an outdated driver. Try it out for yourself ;-) The issue was never fully corrected. From https://github.com/shareef12/cpuz: As of version 1.81, the driver provided with CPU-Z has been patched to limit the set of callers that can open its device object and some IOCTL implementations have been removed. On requests to open the driver's device object, it will check to see if the current process has the SeLoadDriverPrivilege enabled. If this privilige is missing or disabled, the driver will reject the request with STATUS_ACCESS_DENIED. Note that when running as an Administrator, it is trivial to enable this privilege from usermode. Furthermore, the IOCTL to read control registers has been removed (although the physical memory read/write implementations remain). Without the ability to read the page table base from cr3, the exploitation method in this project is no longer feasible. Note that the CPU-Z driver provides numerous other IOCTLs that could be used for exploitation, such as reading from and writing to arbitrary model-specific registers. Seems like the correct way foward is to just not rely on this specific driver. Link to comment Share on other sites More sharing options...
Corsair Employee Corsair James Posted April 30, 2020 Corsair Employee Share Posted April 30, 2020 Thanks everyone for bringing attention to this issue. We are currently engaging with CPUID to resolve this issue since we utilize their SDK to detect system monitoring. I'll have an update once I know more information. Link to comment Share on other sites More sharing options...
diogo10 Posted April 30, 2020 Share Posted April 30, 2020 Thanks everyone for bringing attention to this issue. We are currently engaging with CPUID to resolve this issue since we utilize their SDK to detect system monitoring. I'll have an update once I know more information. So when you think a patch will be available? It's impossible to play games/work with heavy softwares if the system can't control the pumps/fans/temps. This is a high priority thing. Link to comment Share on other sites More sharing options...
desertdude11 Posted April 30, 2020 Share Posted April 30, 2020 I am also unable to see my CPU temps through iCUE. I too have Valorant/Vanguard installed. Big time bummer and I am sure that Corsair will figure it out. Posting mere mainly so that I can follow this thread. Link to comment Share on other sites More sharing options...
matteo Posted April 30, 2020 Share Posted April 30, 2020 At the moment as workaround i disabled the Corsair Service from services.msc and deleted the cpuz folder in windows temp folder, for monitoring using msi afterburner so vanguard is not giving me any issues until this won't be patched Link to comment Share on other sites More sharing options...
ExitMusic_ Posted April 30, 2020 Share Posted April 30, 2020 Came to this conclusion that it was a bad version of cpuz on my own. Searched to find if anyone has acknowledged this yet Following this, expecting some follow up from Corsair. This is...not a great look. Update your software's dependencies. Link to comment Share on other sites More sharing options...
bsavagexx Posted April 30, 2020 Share Posted April 30, 2020 i reached out via twitter an this is what corsair support said "We use the most current CPUz data. This will happen to all other software using CPUz data, not just ours. The anti-cheat thinks it may be a cheat related file unfortunately, Vanguard will have to whitelist the file." I don't believe that's the case because Icue uses cpuz149_x64.sys to monitor system temps and voltages and that cpuz149 driver is vulnerable and exploitable hence why vanguard blocked it will vanguard whitelist cpuz149 i would doubt it. Link to comment Share on other sites More sharing options...
Matt-G Posted April 30, 2020 Author Share Posted April 30, 2020 (edited) i reached out via twitter an this is what corsair support said "We use the most current CPUz data. This will happen to all other software using CPUz data, not just ours. The anti-cheat thinks it may be a cheat related file unfortunately, Vanguard will have to whitelist the file." I don't believe that's the case because Icue uses cpuz149_x64.sys to monitor system temps and voltages and that cpuz149 driver is vulnerable and exploitable hence why vanguard blocked it will vanguard whitelist cpuz149 i would doubt it. The version of CPU-z that ICUE is currently using is Version 1.49 (cpuz149) the code is from 2008 that has exploits and vulnerability's leaving a hole in the system. Official CPU-z is currently on Versions 1.92 last updated this week. I don't think Riot Games will add anything to a whitelist because Vanguard is apart of an online data base that has know exploits and vulnerability's that allow cheats though the code. So it is down to the Vendors to patch there software or be left with complaints. Corsair have also acknowledged they are looking in to this issue. https://forum.corsair.com/v3/showpost.php?p=1043834&postcount=12 NZXT have acknowledged the issues and are also working on a fix This is also a good read on why new Anti Cheats are going to be using Ring 0 https://secret.club/2020/04/28/anticheat_blocking_overclocking_tools.html Edited May 1, 2020 by Matt-G Link to comment Share on other sites More sharing options...
bsavagexx Posted May 1, 2020 Share Posted May 1, 2020 This is interesting to see what actions corsair takes since my whole system is corsair to the teeth. Vanguard actually is doing a good job so far, the health of my system is way more important. "A solution for some of the companies would be to simply remove the unnecessary code like mapping physical memory, writing to model-specific registers, writing to control registers, and so on. Maintaining the read-only of thermal sensors and other component related data would be much less of an issue." - https://secret.club/2020/04/28/antic...ing_tools.html Link to comment Share on other sites More sharing options...
Tourterelle Posted May 1, 2020 Share Posted May 1, 2020 Waiting a Fix, because I don't want ro risk anything... all my fans settings are based on core CPU T°C... and it doesn't work at all when vanguard is installed. Vanguard or corsair with CPUID should find a solution quickly it's not very nice to but lots of system in bad situations ! Link to comment Share on other sites More sharing options...
jpdsc Posted May 1, 2020 Share Posted May 1, 2020 Waiting a Fix, because I don't want ro risk anything... all my fans settings are based on core CPU T°C... and it doesn't work at all when vanguard is installed. Vanguard or corsair with CPUID should find a solution quickly it's not very nice to but lots of system in bad situations ! Why not change it to be based on your AOI temp (if you use Corsair) for example? That works for me... Link to comment Share on other sites More sharing options...
jpdsc Posted May 1, 2020 Share Posted May 1, 2020 The version of CPU-z that ICUE is currently using is Version 1.49 (cpuz149) the code is from 2008 that has exploits and vulnerability's leaving a hole in the system. Official CPU-z is currently on Versions 1.92 last updated this week. I don't think Riot Games will add anything to a whitelist because Vanguard is apart of an online data base that has know exploits and vulnerability's that allow cheats though the code. So it is down to the Vendors to patch there software or be left with complaints. Corsair have also acknowledged they are looking in to this issue. https://forum.corsair.com/v3/showpost.php?p=1043834&postcount=12 NZXT have acknowledged the issues and are also working on a fix This is also a good read on why new Anti Cheats are going to be using Ring 0 https://secret.club/2020/04/28/anticheat_blocking_overclocking_tools.html The comment from NZXT is really funny. They are saying like it is Vanguard's fault while it is clearly not. CPU-Z has a vulnerability where apparently cheat devepers are taking advantage from; luckily for us, Vanguard caught this and blocked the program. Link to comment Share on other sites More sharing options...
diogo10 Posted May 1, 2020 Share Posted May 1, 2020 Why not change it to be based on your AOI temp (if you use Corsair) for example? That works for me... Can you please elaborate on this? How can i do that? Link to comment Share on other sites More sharing options...
Novloski Posted May 1, 2020 Share Posted May 1, 2020 The version of CPU-z that ICUE is currently using is Version 1.49 (cpuz149) the code is from 2008 that has exploits and vulnerability's leaving a hole in the system. Official CPU-z is currently on Versions 1.92 last updated this week. I don't think Riot Games will add anything to a whitelist because Vanguard is apart of an online data base that has know exploits and vulnerability's that allow cheats though the code. So it is down to the Vendors to patch there software or be left with complaints. Corsair have also acknowledged they are looking in to this issue. https://forum.corsair.com/v3/showpost.php?p=1043834&postcount=12 NZXT have acknowledged the issues and are also working on a fix This is also a good read on why new Anti Cheats are going to be using Ring 0 https://secret.club/2020/04/28/anticheat_blocking_overclocking_tools.html I downloaded the newest CPUZ version and it comes packaged with the old vulnerable driver. I know it is confusing because the naming convention would imply that the overall version must be old.. but in this case it looks like cpuid team never updated this vulnerable driver and just packaged it in even there newest release. Link to comment Share on other sites More sharing options...
Favebook Posted May 1, 2020 Share Posted May 1, 2020 I wanted to chime in here and say that I have same problem with iCue. Contacted Riot, they gave me a few options on how to fix it and none worked. I will be contacting them with logs and asking if they can whitelist it. Otherwise we will have to wait for Corsair to fix it. Also, related but unrelated... In same week when Vanguard, iCue and FACEIT AC were updated, that is when the problem started. Vanguard does not like iCue's CPUz currently and FACEIT AC does not like Afterburner (newest version) for some unknown reason. FACEIT AC wouldn't even lunch, after few reboots, safe mode uninstalls and some tinkering, I got FACEIT AC to work, but Vanguard is impossible if you want your iCUE to work properly. My CPU was even cooking once (as I forgot to edit fan curves since they were based on CPU temp). Now I put my fan curves to be based on AIO temps, and AIO is on extreme (just in case). Link to comment Share on other sites More sharing options...
Recommended Posts