Safe default
A good first launch config logs locally, restores guarded values when available, and avoids closing the game until you have clean baseline data.
[Enforcement]
restore = 0
eject = 0
eject_on_reader = 0
handle_response = corroborated
module_response = report
memory_response = report
hook_response = report
debugger_response = report
selfprotect_response = report
behavior_response = report
scan_interval_ms = 500
Presets
| Preset | Use when | Behavior |
|---|---|---|
Detection only | First integration, QA, or a studio that wants evidence before action. | Logs locally, disables eject, sets sensors to report-only, and keeps ValueGuard off. |
Balanced | After first-run logs are clean and the studio wants more friction. | Restores registered protected values, keeps local termination off, and uses corroborated handling for stronger tamper categories. |
Strict | After clean-machine testing with common overlays, capture tools, launchers, and title-specific QA tooling. | Enables eject, terminates on unsigned write/inject handles and high-confidence module/memory/hook/debug/self-protection evidence. Behavior reports remain report-only. |
Presets are only starting points. The Configurator writes every concrete key into anticheat.ini, and the studio can still edit individual settings after choosing a preset.
Core keys
| Key | Purpose |
|---|---|
restore | Allows ValueGuard to restore protected values after suspicious changes. |
eject | Global permission for the SDK to terminate the protected game session on configured high-confidence evidence. |
eject_on_reader | Separate aggressive reader-only override. When licensed, unsigned read-only external readers can close the protected game even if eject = 0. Highest false-positive risk. |
scan_interval_ms | Sensor cadence. Lower values react faster but cost more CPU. |
Important: terminate-style response keys need eject = 1. Without it, the SDK logs and reports but does not close the game. The exception is eject_on_reader = 1, which is a separate reader-only override and requires the matching license entitlement.
External handles
| Value | Behavior |
|---|---|
corroborated | Logs suspicious handles and only terminates when another hard signal appears nearby. |
terminate_write | With eject = 1, terminates on unsigned write/inject-class handles. |
terminate_reader | With eject = 1, also terminates on unsigned read-only readers. Use only after false-positive testing. |
Category responses
| Key | Common values | Use |
|---|---|---|
module_response | report, corroborated, terminate_high, terminate_unsigned | Injected DLL and known signature handling. |
memory_response | report, corroborated, terminate | Manual-mapped PE and memory-integrity evidence. |
hook_response | report, corroborated, terminate | IAT, inline, and ntdll hook evidence. |
debugger_response | report, terminate | Debugger state evidence. |
behavior_response | report, terminate | Optional aim-snap, triggerbot, and wallhack-style evidence from game-supplied shot reports. |
behavior_response does not create aim detection by itself. The game must call AC_ReportAim or an engine wrapper report-shot node after each local player shot. SaveGame tamper is different: AC_VerifySaveFile returns an error and the game should reject that load path instead of treating it as a global ban decision.
Testing policy
- Run normal gameplay with overlays, launchers, capture tools, and common player apps.
- Confirm Steam and Discord overlays do not create module detections.
- Run common launchers, overlays, capture tools, and title-specific QA tooling.
- Save a protected file, flip one byte, and confirm the game rejects the load cleanly.
- Raise one category at a time from report to corroborated or terminate.
- Keep a rollback config ready for public tests.
