It seems like they haven't been overzealous and cross-referenced hits with other data. People are getting varying degrees of bans, and exploiters with several accounts are reporting that not every account has been banned. i.e. Valve are only banning when they are certain.
I imagine they are looking at the honeypot, and in-game actions that would be a result of the player having information they shouldn't.
Unlikely that they checked each of the 40,000 bans individually, but I imagine they devised a simple quantitative check that they could automate like "honeypot = true, check how far from STDDev player's dewarding accuracy was", then they spotchecked the highest confidence rates until they were happy to rollout the banwave.
But I imagine they tested the patch, like any other patch, and did not find evidence of any other access to that memory. You can never be 100% sure, but if that’s the standard, then how could any banned player be 100% sure cheat software wasn’t secretly installed on their system using nation state invisible rootkit capabilities?
Cosmic rays can be excluded by sampling. Say, someone triggering a guard page once or twice gets ignored, but consistent read activity whenever the user is playing is likely to be either an antivirus (which can be correlated and culprits identified) or a cheat.
Haunted players are either using that to their advantage or cursed. Do you really want to interfere with a curse? I certainly wouldn't, too much risk of it getting transferred to me.
I imagine they are looking at the honeypot, and in-game actions that would be a result of the player having information they shouldn't.
Unlikely that they checked each of the 40,000 bans individually, but I imagine they devised a simple quantitative check that they could automate like "honeypot = true, check how far from STDDev player's dewarding accuracy was", then they spotchecked the highest confidence rates until they were happy to rollout the banwave.