KorvayneGuides
Configuration reference

anticheat.ini explained

Every shipped config value should be understandable to a studio before launch. This reference explains what each section controls, what is safe by default, and which settings need backend support.

Configurator coverage: the Configurator emits runtime settings, backend guidance, and documentation-only metadata in one anticheat.ini. Runtime-read sections are [Enforcement], [Logging], [Identity], [Telemetry], [TelemetryEvents], [TelemetryFields], [AccessCheck], [ValueGuard], and [SaveGameProtection]. [Profile], [BanEnforcement], [ProtectedValues], and [EventSchema] are emitted so studios know how to integrate the backend and game code; they are not trusted client-side security boundaries.

[Profile]

This section is Configurator metadata. It records which preset the config started from; every concrete behavior is still controlled by the sections below.

KeyTypical valueMeaning
presetdetection_onlyHuman-readable starting profile such as detection-only, balanced, or strict. The SDK runtime does not use it for enforcement.
Preset tokenGenerated byIntent
detection_onlyDetection onlyShipped default: evidence collection, local logs, no local game termination, and ValueGuard off.
balancedBalancedOpt-in after first-run logs are clean: restore protected values, keep eject off, and correlate stronger signals.
strictStrictMore aggressive local enforcement after false-positive testing. Still requires license entitlements and eject = 1.

[Enforcement]

KeyDefaultMeaning
restore0Allows ValueGuard to restore a protected value after an out-of-band write. Default is off so first integrations are report-only.
eject0Global switch for local termination. Keep off until logs are clean.
eject_on_reader0Separate aggressive reader-only override. When enabled and licensed, unsigned read-only external reader handles can close the protected game even if eject = 0.
handle_responsecorroboratedExternal handle policy: corroborated, terminate_write, or terminate_reader. With eject = 0, this remains evidence-only.
module_responsereportInjected DLL / known signature policy. Supports report, corroborated, terminate_high, terminate_unsigned.
memory_responsereportManual-mapped PE and memory-integrity evidence policy.
hook_responsereportIAT, inline, and ntdll hook evidence policy.
debugger_responsereportDebugger evidence policy.
selfprotect_responsereportSDK self-protection and watchdog evidence policy.
behavior_responsereportPolicy for optional game-supplied shot reports. The SDK does not read aim input by itself; if the game never calls AC_ReportAim or an engine wrapper report-shot node, this category has no events.
scan_interval_ms1000Background sensor cadence. Lower is faster, higher is quieter.

Rule: terminate-style response settings need eject = 1 and the license must include the matching entitlement. The exception is eject_on_reader = 1, which is a separate reader-only override and needs the reader enforcement entitlement.

[Logging]

KeyDefaultMeaning
enabled1Writes local anticheat.log. Useful for integration and support. Production evidence should still go through studio telemetry if enabled.

[Identity]

KeyDefaultMeaning
game_idemptyNon-secret game identifier. Can also be set at runtime.
environmentproductionEnvironment label, such as production or staging.
providersteamIdentity/platform provider label.
require_verified_identity1Documents that production telemetry/access should be bound to verified identity.
player_id_sourcesdk_runtimeExpected source for player ID.
session_id_sourcesdk_runtimeExpected source for session ID.
platform_user_id_sourcesteam_authExpected source for platform identity.
game_build_sourcesdk_runtimeExpected source for build/version context.

[Telemetry]

KeyDefaultMeaning
enabled0Posts detection events to a studio endpoint.
endpointemptyStudio-owned HTTPS URL. Treat it as public.
min_severitylowMinimum event severity to send.
batch_interval_ms5000Forward-compatible batching policy value.
timeout_ms2500HTTP timeout.
auth_headerAuthorizationHeader used for telemetry and access-check auth.
token_sourceruntime_session_tokenGenerated/configurator default. Recommended mode: game passes a short-lived backend-issued token at runtime. If omitted entirely, the runtime keeps config_fallback compatibility behavior.
auth_tokenemptyPublic fallback for config_fallback only. Never a server secret.

The exact POST bodies are documented in Telemetry event payload and Access-check payload. Use those schemas when building a studio backend parser.

[TelemetryEvents] and [TelemetryFields]

[TelemetryEvents] turns event categories on or off. [TelemetryFields] controls which context fields are included. Keep privacy-sensitive fields off unless the studio has a clear reason.

Event keyDefaultMeaning
injection1Injected module and unexpected DLL evidence.
hook_detection1IAT, inline, and ntdll hook events.
handle_checks1External process handle events.
debugger1Debugger, test-signing, and related environment evidence.
boot_state1Secure Boot / test mode style status events where available.
memory_integrity1Manual mapping and memory tamper evidence.
sdk_integrity1Self-protection and SDK integrity evidence.
protected_value0ValueGuard mismatch, restore, and protected-value events. Off until ValueGuard is integrated.
access_check1Startup/recheck access decision events.
aim_behavior1Optional game-supplied shot reports that can become AimSnap, Triggerbot, or Wallhack evidence.
savegame_integrity1Failed protected-save verification from AC_VerifySaveBuffer or AC_VerifySaveFile.

Shot reports are only produced by AC_ReportAim or an engine wrapper report-shot call, and still respect telemetry enablement plus min_severity. Local close/eject events use the telemetry category enforcement. That category is part of the JSON schema, but it is not a separate [TelemetryEvents] checkbox.

Field keyDefaultMeaning
player_id1Studio account/player ID.
session_id1Game, login, or match session ID.
platform_user_id1Platform user identifier, such as Steam ID when the studio provides it.
game_build1Game build/version context.
sdk_version1Korvayne runtime version.
module_sha2561Reserved for module evidence. Current runtime telemetry does not emit this as a top-level JSON field.
module_signer1Reserved for signer evidence. Current runtime telemetry does not emit this as a top-level JSON field.
action_taken1Whether the SDK reported, restored, blocked, or terminated. Current detection telemetry sends reported.
server_observed_ip1Sends a boolean marker; the backend should use the request IP it observes, not a client-supplied IP value.
client_sends_ip0Reserved client-supplied IP mode. Current runtime telemetry sends false.
hardware_id0Reserved for higher-friction identity models. Current runtime telemetry does not emit it.
process_names0Controls message redaction for handle events. Current payload does not emit a raw process list.
process_name_moderedactedReserved representation mode for process-name evidence.
redact_paths1Redacts full local paths before telemetry/log output where supported.

[AccessCheck]

KeyDefaultMeaning
enabled0Enables client startup/recheck requests when the endpoint is valid and mode is not server_guidance_only.
providerstudio_backendBackend authority label.
endpointemptyAccess-check URL.
modestartup_and_recheckstartup_only, startup_and_recheck, or server_guidance_only. server_guidance_only documents server-side enforcement and sends no client access-check request.
timeout_ms2500HTTP timeout.
recheck_interval_sec300Recurring check interval.
fail_modeblockEndpoint outage behavior: block fails closed and can lock out players during outages; allow/offline_grace fail open.
on_bannedblock_startStartup deny action. block_start / terminate closes the protected game in drop-in mode; show_message_only only logs/emits unless wrapper/game UI handles it.
on_session_bandisconnectRecheck deny action. disconnect, show_message_only, and none are wrapper/game-code UX instructions; only terminate closes the protected game locally during recheck.
appeal_urlemptyOptional support/appeal URL shown by the game wrapper.

AccessCheck uses the same auth_header and token_source/auth_token settings as telemetry. The request body includes client_side_only = true because the SDK is an early-rejection UX layer; trusted ban enforcement belongs on the studio/game backend.

[BanEnforcement]

This section is guidance for the studio, not a magic client-side ban system. Reliable enforcement belongs on the trusted game or studio server.

KeyMeaning
server_side_requiredDocuments that backend enforcement is required.
templateSuggested platform/backend model.
client_enforcementClient can perform access-check UX only.
verify_identity_server_sideIdentity must be verified server-side.
platform_ban_requests_from_client, steam_game_bans_from_backendDocument that platform ban actions should come from trusted backend processes, not the game client.

[ValueGuard]

KeyDefaultMeaning
enabled0Allows protected value checks when the game registers values. Default is off until integration work is done.
default_actionreportDefault local response: report, restore, or terminate.
report_min_severitymediumSeverity for protected value events.
max_tracked_values128Default integration limit.
sdk_api_required1Values must be registered at runtime.
api_styletyped_helpersUse typed helpers for u32, i32, and float.
supported_typesu32,i32,floatCurrent supported guarded value types.
legit_write_modelwrite_through_setterPreferred model for legitimate gameplay writes.
direct_write_fallbacknote_legitLegacy fallback after direct writes.
telemetry_event0Emit protected value events when telemetry is enabled and the event category is enabled.

[SaveGameProtection]

This section controls the cooperative save API. The game still owns serialization, file naming, backup behavior, and load UX.

KeyDefaultMeaning
enabled1Allows AC_ProtectSaveBuffer/File and AC_VerifySaveBuffer/File to run.
modesign_and_obfuscateDocumentation value for the generated config. Current runtime signs the envelope and can obfuscate the payload.
obfuscate_payload1Stores protected payload bytes in a non-plain form. Integrity comes from signing, not obfuscation alone.
tamper_severityhighSeverity used when verification fails and telemetry is enabled.
max_save_bytes1048576Maximum plain save payload size accepted by the API.
on_tamperreject_loadGuidance for the wrapper/game. The API returns an error; the game decides the player-facing recovery path.
context_bindinggame_id,player_id,slot,schemaRecommended context fields to include in the string passed to protect and verify.
telemetry_event1Send savegame_integrity events when telemetry is enabled and verification fails.

Use the same context string when saving and loading, for example player=studio-123;slot=campaign-1;schema=2. Treat failures as local save tamper/corruption evidence, not as standalone account-ban proof.

[ProtectedValues]

This section is documentation only. The Configurator writes examples such as float:player.health or i32:weapon.ammo so a developer can plan which values to register. The runtime does not discover values from this section.

ItemMeaning
Suggested examplesHuman-readable tags for values the game should register with AC_GuardFloat, AC_GuardI32, or AC_GuardU32.
Recommended API commentsReminder to use AC_SetGuarded* for legitimate writes and AC_NoteLegit* only as a fallback after legacy direct writes.
Avoid listPosition, velocity, or values changing every frame without a clear write path are poor ValueGuard targets.

[EventSchema]

This section is Configurator guidance for backend developers. The runtime does not read it. Treat the linked JSON Schemas as the real parser contract.

SchemaUse
telemetry-event.schema.jsonDetection telemetry POST body.
access-check-request.schema.jsonClient access-check POST body.
access-check-response.schema.jsonBackend response body consumed by the SDK.