How Marvel Rivals' anti-cheat actually works (EAC + NEP)

Why this matters

Most articles about Marvel Rivals anti-cheat are recycled marketing copy from Epic's EAC product page. That tells you nothing useful. This post is the version you'd write after spending six months reverse-engineering the actual stack, watching it boot ten thousand times in process traces, and capturing the live audit-log of what it does on session start.

If you're a Marvel Rivals player, you'll come out of this with a realistic mental model of what the game watches for and why bans happen the way they do. If you're running an overlay, you'll come out understanding why some categories of detection are unavoidable and others are pure engineering laziness on the cheat's side.

We assume you know what an anti-cheat is and roughly how a user-mode-vs-kernel-mode distinction works. Everything else we'll explain.

The two-layer architecture

Marvel Rivals ships with two distinct anti-cheat components, not one. They work together but have different scopes.

Layer 1: Easy Anti-Cheat (EAC). A user-mode service that lives in Program Files (x86)\EasyAntiCheat\. It runs as EasyAntiCheat.exe and EasyAntiCheat_EOSPiece.exe, attaches to Marvel-Win64-Shipping.exe on launch, and:

Seals the game's process module list shortly after spawn.
Maintains an integrity-check loop on the game's own .text section.
Talks to Epic's anti-cheat backend over TLS, posting telemetry about what's loaded and what's behaving normally.

Layer 2: NEP (nProtect-derivative kernel driver). A kernel-mode component that loads alongside the game session via a service named NEP<random-8-char> (literally random, regenerated per session — NEPrsbtt9s, NEPa8x2qf, and so on). It:

Runs at kernel ring 0 with full system visibility.
Watches process creations system-wide for suspicious patterns.
Maintains a driver-level integrity check on EAC itself.
Caches detection events into a session log for upload at exit.

The split is intentional. EAC is the broad scanner — it knows the game, knows what loaded modules should look like, and catches the obvious stuff. NEP is the kernel sentinel — it watches the watcher, so if you try to disable EAC, NEP sees it and flags the session.

When EAC seals vs scans

A common misconception is that EAC scans continuously. It doesn't — that would be a massive perf hit. Instead, it does most of its work in two distinct phases, and understanding the phases is the single most useful piece of knowledge for thinking about safety.

Phase 1: Seal

Within the first ~3 seconds of the game spawning, EAC enumerates the game's loaded modules list and seals it — that is, it records a snapshot of every DLL inside Marvel-Win64-Shipping.exe and stores the snapshot as a reference.

From that point on, any new module that appears in the process is flagged. The list is no longer "what's loaded right now"; it's "what was loaded at seal time vs what's there now."

This is why every reputable overlay attaches before the seal. Either:

The DLL is mapped into the game during its own startup, via a library the game itself loads as part of normal initialization (the "DLL hijack" approach — we use Engine\Binaries\ThirdParty\Ogg\Win64\VS2015\libogg_64.dll).
The DLL is manually mapped into the game's address space with no entry in the module list at all (the "manual map" approach — higher engineering cost, smaller surface to detect).

Both approaches finish before the 3-second seal. Both are why we refuse to inject when the game is already running — attaching post-seal is the loudest possible behavior.

Phase 2: Scan

After seal, EAC enters its scan loop. Roughly every 30–60 seconds it does a rolling integrity check across the game's .text section, the module list, and a list of "interesting" runtime patterns it cares about.

The scan loop is the part that catches stale builds. Even if your DLL got past the seal, if it patches a function EAC integrity-checks later, the scan will catch it. The cheats that age badly are the ones that hook functions EAC didn't care about three months ago and does now.

We track which functions EAC integrity-checks and avoid hooking those. The list changes slowly but steadily; the rebuild pipeline incorporates the latest EAC behavior automatically.

What the NEP driver does on session start

NEP is the more interesting (and harder to deal with) component because it operates system-wide and at kernel level. We've captured its boot sequence on tens of live sessions. What it does:

1. Process telemetry sweep

In the first ~250ms after the game spawns, NEP enumerates every running process on the system and records:

Process name and full path.
Parent process ID (to detect spawn lineage).
Loaded modules per process (a quick rip of Process32First + Module32First data).
Command-line tail (filtered for known cheat patterns).

This is why cleaner-cascades exist in cheat loaders. NEP looks at the live process list at start-of-session; if you have a tool with a known-bad command line (--inject-debug, --no-protection, KDU.exe, etc.) running when the game spawns, that's flagged immediately.

2. Session log file

NEP writes a session ID file to C:\ProgramData\<6-9 digits>. It's a 6-9 byte file with the same contents as the filename (4241010, 29884603, 8164107, and so on). These files accumulate forever — we've captured 85+ on a single test machine.

The file is not a HWID token (we used to think it was). It's a session marker NEP uses to:

Correlate logs across sessions for the same install.
Audit how many sessions have started on this machine without a ban result.
Provide a tamper signal — if you delete the file mid-session, NEP notices.

Every reputable overlay leaves these files alone. The aggressive cleaners (the ones that nuke C:\ProgramData\*) actually create more signal, because they erase the marker NEP just wrote.

3. The "cleaner-style" surface NEP watches for

Here's the part that informed how we built our own session-prep flow. We captured the full process-creation audit from a live session with a popular competitor's cleaner running, and the cleaner alone fires 32 distinct cmd-line process spawns in a deterministic 7-second burst:

cmd.exe /c del /f /q /s "%LOCALAPPDATA%\Marvel\*.*" >nul 2>&1
cmd.exe /c rd /s /q "%LOCALAPPDATA%\Marvel" >nul 2>&1
cmd.exe /c del /f /q /s "%LOCALAPPDATA%\MarvelRivals_Launcher\*.*" >nul 2>&1
... (29 more lines)

Targets include Marvel\, MarvelRivals_Launcher\, Netease\, UniSDK*\, D3DSCache\, NgConsentManager\, CrashDumps\, UnrealEngine*\, appsflyer\ in %LOCALAPPDATA% and %APPDATA% plus Steam's MarvelRivals\Log+ccmini folders.

This is exactly the behavior NEP fingerprints. A spawn-storm of 32 cmd.exe processes within 7 seconds, all hitting Marvel-related paths, all silent? That's a textbook cleaner signature. We re-implement the same cleanup as in-process Win32 calls (MoveFileEx, SHFileOperationW, RegDeleteTreeW, EvtClearLog). Zero new processes. Zero new command lines for the audit log. The cleanup that matters happens — without the signal.

Heuristic vs signature detection

EAC and NEP both run both kinds of detection. Understanding the difference is what separates "I got caught fast" from "I got caught slow."

Signature detection

The traditional kind: maintain a list of known-bad binary patterns (file hashes, import-table fingerprints, byte sequences in .text) and scan for them. Fast, cheap, and easily defeated by changing your binary.

Every time we ship a new build, the binary signature changes. The EAC signature scan for our payload starts from zero on each new build. Public overlays that haven't shipped in a month get caught by signature detection routinely — the EAC team has had three weeks to add the signature.

Heuristic detection

The behavior kind: build a model of what "normal" looks like and flag deviations. Slower, harder to defeat by changing your binary, and the reason the way you use an overlay matters more than the overlay itself.

Examples of heuristic flags EAC and NEP actually use:

Aim-trace anomalies. Cross-hair tracking that snaps to head-shots with sub-frame precision is a heuristic flag. Even on a clean binary, if your aim looks like a robot, the heuristic system triggers.
Module-list deltas after seal. We covered this above.
Cleaner-burst patterns. Also above.
Auth-server fingerprints. If your overlay's loader pings a KeyAuth endpoint with a known-public-cheat application name, the network signature is hardcoded into EAC's network classifier.

The heuristic side is why plausible-default settings are not just marketing copy — they are the actual safety mechanism. Smooth your aim. Use FOV bounds. Keep ESP info-only, not auto-fire-on-sight.

The role of session telemetry and accumulation

This is the part most players don't realize. Detection isn't binary on a single session. It's a probability that accumulates across sessions until a threshold is crossed and a ban fires.

EAC and NEP both upload telemetry on session exit. The telemetry includes:

Was the seal clean?
Did the scan loop find any anomalies?
Did the heuristic system flag any unusual aim or input patterns?
Were any known-bad processes running on the system?
Did the binary integrity check come out clean at all sampled points?

A single flag isn't usually a ban. Two flags from independent detectors increase the per-session risk score. Three flags across two sessions is often enough.

The publisher ban-wave system then batches the bans for publication — they tend to come out in clusters of hundreds or thousands rather than individually, which is why ban waves feel like sudden weather events. It's not that detection happened the day of the wave; it's that the publisher's ops team flipped the "publish accumulated bans" switch the day of the wave.

What you can and can't control

Let's get concrete about the agency you actually have.

Things you can control

What overlay you choose. Ship cadence, support quality, and cleaner-style hygiene vary enormously between overlays. See our buying-guide post.
Your settings. Smoothing, FOV, target priority. Plausible defaults survive heuristic detection; aggressive defaults don't. Our recommended baselines are documented in the docs.
Your account hygiene. Don't run the overlay on the account with five years of cosmetics and a competitive history attached.
Your computer state at session start. No debug tools running. No "loaders" from other overlays open. No KDU.exe in your taskbar.

Things you can't control

The publisher's ban-wave timing. Patches come when they come; waves come when they come.
Other people running the same overlay. When a leak happens and your binary suddenly has 2,000 new daily users, your session's signature density goes up.
EAC's roadmap. The teams behind anti-cheats keep adding detection. Every overlay ages.

The honest framing: anything you spend on an overlay is a bet that the team behind it patches faster than the publisher catches the build. Sometimes that bet pays off for years. Sometimes the publisher ships a detection update on a Tuesday and a wave lands Wednesday.

This is also why we say so plainly on /refund that bans aren't a replacement or refund event. Making bans whole would mean the service was a free trial with no risk, which would mean we'd have to charge ten times what we do.

Where to read further

Are Marvel Rivals overlays safe? A 2026 reality check — the buyer-side companion to this post.
Mastering Hawkeye aim — the product side, on the easier game-mechanic stuff.
Detection & anti-cheat docs — our policy if a ban happens.
/status — current detection state and any open issues.

If you've read this far, you're more informed than 98% of overlay buyers. The honest version of safety is that there's risk, the risk is real, and the way to minimize it is to pick a team that ships fast, sets sane defaults, and tells you the truth.