Signed modules
The module sensor does not treat a valid Authenticode signature as a cheat by itself. Signed modules from common overlays, launchers, GPU tools, and capture software should not be blocked just because they load into the process.
Important: signed does not mean harmless. Other sensors can still report hooks, memory tamper, handles, known hashes, or behavior evidence.
Unsigned modules
A newly loaded unsigned module after the startup warm-up window is suspicious. In report mode it becomes evidence. With module_response = terminate_unsigned and eject = 1, it can close the protected game session.
[Enforcement]
eject = 1
module_response = terminate_unsigned
Known cheat hashes
Known-cheat signatures are SHA-256 deny-list entries delivered in a signed anticheat.sigs file. A matched hash raises high-confidence evidence even if the file is otherwise signed.
Korvayne Runtime should be self-service:
- Korvayne can ship a small generic signature feed for public, common, or obvious tools.
- Studios can add game-specific hashes when a cheat is circulating for their title.
- Per-game analysis, custom feeds, and review work belong in higher tiers.
v=1;epoch=1780000000
sha256=<64 hex characters>;label=example-cheat-module
The file is signed. If it is missing, old, or tampered with, built-in detection still works; a forged file cannot weaken protection.
Overlay testing
Before enabling strict module termination, test normal player environments:
- Steam overlay
- Discord overlay
- GPU driver overlays
- recording and streaming tools
- launchers used by the game's audience
The expected outcome is simple: signed overlays load without module enforcement, while unsigned unknown modules produce evidence and can be blocked when the policy asks for it.
