From the EULA:
"NCSOFT HAS THE RIGHT, BUT NO OBLIGATION, TO MONITOR OPERATION OF ANY SERVICE, CONTENT OR GAME AT ANY TIME AND IN ANY MATTER, INCLUDING BUT NOT LIMITED TO MONITORING COMMUNICATIONS AND COMMUNICATIONS INTERFACES, STORAGE DEVICES, RANDOM ACCESS MEMORY OR CPU PROCESSES RELATED TO HARDWARE YOU USE WITH THE GAME."
Aka NCSOFT can monitor communications, interfaces, storage devices, RAM and CPU processes that are used to interact with the game. They can't for example scan a web browser with a bot software homepage opened. They can't scan CPU processes or RAM associated with League of Legends or other processes not associated with the game.
Renaming the process is exactly how botters attempt to get around this, but definitions are added to add these process names to their malicious software list. At some point bot programs must interface with the game via computer hardware, thus allowing monitoring. Xigncode3 looks for instances of these known processes interacting with the game, then scans for specific file names and sends the hashcode of the file and name to themselves. Although for Xigncode its fairly useless since packet sniffers don't leave a trace. At most (outside of updating "known" names) I'd say xigncode could log what programs are being used to send key presses to the client, and use said information to update known processes or trigger a filename search. While most botters may be smart enough to their the process name, the guts of the program itself probably doesn't.
(QA on how xigncode works - https://steamcommunity.com/games/582660/announcements/detail/3062859752419178244)
Also I already started that the primary difference between a bot and a macro, is macro's don't accept rezzes (nor cast them).