"Modern" VAC has included modules for (Valve add new ones and rotate old detections out all the time, 5 or so are generally active at any one time):
- Checks on the game process's module list, which are then hashed and compared to known cheats (this is pretty much the only one that ever get's talked about).
Valve had to expand past this with the advent of polymorphic cheats and other cases where they can't get the actual binaries.
- Hashing and comparing window titles to known DLL injectors (a hilariously bad one from the good old days, hopefully long gone by now).
- The infamous recent collection of DNS resolution history for comparison to known cheat C&C servers.
- Using the Windows debug APIs to check if the process has been opened with remote memory access (relatively new, causes temporary bans in some Valve games).
- Hashes of the game's binaries' code sections, to detect detours (Note: not looking for known cheats, just any changes).
- I seem to remember reading something about SEH-based detours (which are used to evade ^) now being detected, so something for that.
- There is a blacklist of device drivers which is used to combat Ring-0 cheats (combined with the requirement that DEP is enabled).
- At least several more that have been well documented but I can't remember off the top of my head - it's been maaaaany years since I cared about the internals of VAC, and the best site for information is now dead and gone.
A number of these are heuristic-based and don't trigger a ban directly, but do bring in deeper scans and other scrutiny.
As I said in my last post, I think it's perfectly within the realm of reason to say that using a mouse designed to combat recoil (a popular function of many traditional cheats) is cheating, and thus it's irrelevant whether VAC currently detects it - but whether it may do in the future.