KorvayneGuides
Policy

Configuration and enforcement

Korvayne Runtime separates detection from local action. Start by logging evidence, then enable termination only for categories you have tested on normal player machines.

Safe default

A good first launch config logs locally, restores guarded values when available, and avoids closing the game until you have clean baseline data.

[Enforcement]
restore = 0
eject = 0
eject_on_reader = 0
handle_response = corroborated
module_response = report
memory_response = report
hook_response = report
debugger_response = report
selfprotect_response = report
behavior_response = report
scan_interval_ms = 500

Presets

PresetUse whenBehavior
Detection onlyFirst integration, QA, or a studio that wants evidence before action.Logs locally, disables eject, sets sensors to report-only, and keeps ValueGuard off.
BalancedAfter first-run logs are clean and the studio wants more friction.Restores registered protected values, keeps local termination off, and uses corroborated handling for stronger tamper categories.
StrictAfter clean-machine testing with common overlays, capture tools, launchers, and title-specific QA tooling.Enables eject, terminates on unsigned write/inject handles and high-confidence module/memory/hook/debug/self-protection evidence. Behavior reports remain report-only.

Presets are only starting points. The Configurator writes every concrete key into anticheat.ini, and the studio can still edit individual settings after choosing a preset.

Core keys

KeyPurpose
restoreAllows ValueGuard to restore protected values after suspicious changes.
ejectGlobal permission for the SDK to terminate the protected game session on configured high-confidence evidence.
eject_on_readerSeparate aggressive reader-only override. When licensed, unsigned read-only external readers can close the protected game even if eject = 0. Highest false-positive risk.
scan_interval_msSensor cadence. Lower values react faster but cost more CPU.

Important: terminate-style response keys need eject = 1. Without it, the SDK logs and reports but does not close the game. The exception is eject_on_reader = 1, which is a separate reader-only override and requires the matching license entitlement.

External handles

ValueBehavior
corroboratedLogs suspicious handles and only terminates when another hard signal appears nearby.
terminate_writeWith eject = 1, terminates on unsigned write/inject-class handles.
terminate_readerWith eject = 1, also terminates on unsigned read-only readers. Use only after false-positive testing.

Category responses

KeyCommon valuesUse
module_responsereport, corroborated, terminate_high, terminate_unsignedInjected DLL and known signature handling.
memory_responsereport, corroborated, terminateManual-mapped PE and memory-integrity evidence.
hook_responsereport, corroborated, terminateIAT, inline, and ntdll hook evidence.
debugger_responsereport, terminateDebugger state evidence.
behavior_responsereport, terminateOptional aim-snap, triggerbot, and wallhack-style evidence from game-supplied shot reports.

behavior_response does not create aim detection by itself. The game must call AC_ReportAim or an engine wrapper report-shot node after each local player shot. SaveGame tamper is different: AC_VerifySaveFile returns an error and the game should reject that load path instead of treating it as a global ban decision.

Testing policy

  1. Run normal gameplay with overlays, launchers, capture tools, and common player apps.
  2. Confirm Steam and Discord overlays do not create module detections.
  3. Run common launchers, overlays, capture tools, and title-specific QA tooling.
  4. Save a protected file, flip one byte, and confirm the game rejects the load cleanly.
  5. Raise one category at a time from report to corroborated or terminate.
  6. Keep a rollback config ready for public tests.