Consumer Rights Wiki - User contributions [en]

Kernel level anti-cheats

2025-07-03T17:43:24Z

Ednovstormbrewer: Revised short list under Further reading pertaining to Rainbow Six Siege

'''Kernel-level anti-cheat''' is a subset of anti-cheat dedicated towards running above the user level. These types of anti-cheat, such as [[Easy Anti-Cheat|Easy Anticheat]] (EAC), have grown in popularity among large developers for their online multiplayer games.{{Citation needed}} Alongside this rise in popularity is increasing concern from both consumers regarding their privacy with the use of this software,{{Citation needed}} and from security professionals who recognize the significant risks of kernel-level software being breached.{{Citation needed}}

==How it works==
Kernel level anti-cheats run at the {{Wplink|Kernel (operating system)|kernel level}}; the deepest and most authoritative level of the computer. In layman's terms, this essentially means the software is capable of tracking every process occurring on a computer, and additionally exhibit control if necessary. Alternatives to kernel level anticheat include user level anticheat which runs as a standard process on the player's machine, and server side anticheat which leaves the user's machine untouched and solely operates on the game's servers.

The arms race between hacking and anticheat software has seen hackers better able to circumvent user level anticheat in recent years, pushing more anticheat developers to demand kernel access from players and more developers to require use of a kernel anticheat to access their games.

==Consumer impact summary==
===Privacy concerns===
Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,<ref>{{Cite web |last=Rigney |first=Ryan K. |date=23 Feb 2024 |title=The Gamers Do Not Understand Anti-Cheat |url=https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat |access-date=2025-06-10 |website=Push To Talk}}</ref> this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers to, if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.

===Security concerns===
As kernel-level software holds the highest authorization on the hardware of a user,<ref>{{Cite web |last=Litchfield |first=Ted |date=27 Feb 2024 |title=According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere |url=https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |url-status=live |archive-url=https://web.archive.org/web/20250406200223/https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |archive-date=2025-04-06 |access-date=2025-06-10 |website=PC Gamer}}</ref> this is favorable towards malicious actors.

If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the {{Wplink|operating system}} and {{Wplink|Antivirus software|anti-virus software}}.

This is not a purely hypothetical scenario; it has already taken place in an incident with the popular {{Wplink|Gacha game|gacha}} co-op adventure [[Genshin Impact|''Genshin Impact'']], where the game's anti-cheat '''mhyprot2.sys''<nowiki/>' was hijacked by malicious actors to disable users' anti-virus software, with the intent of distributing {{Wplink|ransomware}}.<ref>{{Cite web |last=Soliven |first=Ryan |last2=Kimura |first2=Hitomi |date=2022-08-24 |title=Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus |url=https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html}}</ref>

Another perfect example is Hotta Studios' Tower of Fantasy game. Users have reported that the kernel-level anticheat 'ksophon_x64.sys' has caused BSOD along with the DPC_WATCHDOG_VIOLATION. This incident occurs when the game is uninstalled, launched, closed, or even running before the new publisher Perfect World Games. As of now, since the update by the company, the file doesn't appear to exist in System32/drivers.

==Further reading==
*[[Electronic Arts|EA]] has a history of using anti-cheats such as [[Easy anti-cheat|EAC]], and recently switched to [[EA moves to in-house kernel-level anti-cheat on PC after purchase|an in-house developed kernel-level anti-cheat]].
*[[Rockstar Games|Rockstar]]'s ''Grand Theft Auto V'' [[GTA 5 moves to kernel-level anti-cheat on PC after purchase|moved to Kernel Level Anti-Cheats.]]
*[[Hoyoverse]]'s [[Genshin Impact|''Genshin Impact'']] has used a kernel-level anti-cheat since launch.
*Riot Games' Valorant uses an in house kernel-level anticheat called [https://support-valorant.riotgames.com/hc/en-us/articles/360046160933-What-is-Vanguard Vanguard]
*Kuro Games' Wuthering Waves uses a kernel-level anticheat called ACE (Anti-Cheat Expert) since launch.
*Hotta Studios' Tower of Fantasy's history of kernel-level anticheat caused BSOD and would stay even after uninstalling the game.
*Ubisoft uses BattlEye kernel-level anticheat for [https://r6fix.ubi.com/projects/RAINBOW6-SIEGE-LIVE/issues/LIVE-59642 Rainbow Six: Siege] which prevents Linux gamers from launching it even after paying for it.
*Arrowhead Game Studios' Helldivers 2 uses a kernel-level anticheat called [https://www.reddit.com/r/Helldivers/comments/19dp2qw/helldivers_2_nprotect_gameguard_anticheat/ nProtect GameGuard].

==References==
{{Reflist}}

[[Category:Common terms]]

Kernel level anti-cheats

2025-07-03T17:37:03Z

Ednovstormbrewer: Revised last paragraph under Security concerns. Added links pertaining to kernel-level anticheats to Helldivers 2 and Rainbow Six Siege as an example of Linux gamers being unable to launch the game.

'''Kernel-level anti-cheat''' is a subset of anti-cheat dedicated towards running above the user level. These types of anti-cheat, such as [[Easy Anti-Cheat|Easy Anticheat]] (EAC), have grown in popularity among large developers for their online multiplayer games.{{Citation needed}} Alongside this rise in popularity is increasing concern from both consumers regarding their privacy with the use of this software,{{Citation needed}} and from security professionals who recognize the significant risks of kernel-level software being breached.{{Citation needed}}

==How it works==
Kernel level anti-cheats run at the {{Wplink|Kernel (operating system)|kernel level}}; the deepest and most authoritative level of the computer. In layman's terms, this essentially means the software is capable of tracking every process occurring on a computer, and additionally exhibit control if necessary. Alternatives to kernel level anticheat include user level anticheat which runs as a standard process on the player's machine, and server side anticheat which leaves the user's machine untouched and solely operates on the game's servers.

The arms race between hacking and anticheat software has seen hackers better able to circumvent user level anticheat in recent years, pushing more anticheat developers to demand kernel access from players and more developers to require use of a kernel anticheat to access their games.

==Consumer impact summary==
===Privacy concerns===
Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,<ref>{{Cite web |last=Rigney |first=Ryan K. |date=23 Feb 2024 |title=The Gamers Do Not Understand Anti-Cheat |url=https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat |access-date=2025-06-10 |website=Push To Talk}}</ref> this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers to, if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.

===Security concerns===
As kernel-level software holds the highest authorization on the hardware of a user,<ref>{{Cite web |last=Litchfield |first=Ted |date=27 Feb 2024 |title=According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere |url=https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |url-status=live |archive-url=https://web.archive.org/web/20250406200223/https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |archive-date=2025-04-06 |access-date=2025-06-10 |website=PC Gamer}}</ref> this is favorable towards malicious actors.

If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the {{Wplink|operating system}} and {{Wplink|Antivirus software|anti-virus software}}.

This is not a purely hypothetical scenario; it has already taken place in an incident with the popular {{Wplink|Gacha game|gacha}} co-op adventure [[Genshin Impact|''Genshin Impact'']], where the game's anti-cheat '''mhyprot2.sys''<nowiki/>' was hijacked by malicious actors to disable users' anti-virus software, with the intent of distributing {{Wplink|ransomware}}.<ref>{{Cite web |last=Soliven |first=Ryan |last2=Kimura |first2=Hitomi |date=2022-08-24 |title=Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus |url=https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html}}</ref>

Another perfect example is Hotta Studios' Tower of Fantasy game. Users have reported that the kernel-level anticheat 'ksophon_x64.sys' has caused BSOD along with the DPC_WATCHDOG_VIOLATION. This incident occurs when the game is uninstalled, launched, closed, or even running before the new publisher Perfect World Games. As of now, since the update by the company, the file doesn't appear to exist in System32/drivers.

==Further reading==
*[[Electronic Arts|EA]] has a history of using anti-cheats such as [[Easy anti-cheat|EAC]], and recently switched to [[EA moves to in-house kernel-level anti-cheat on PC after purchase|an in-house developed kernel-level anti-cheat]].
*[[Rockstar Games|Rockstar]]'s ''Grand Theft Auto V'' [[GTA 5 moves to kernel-level anti-cheat on PC after purchase|moved to Kernel Level Anti-Cheats.]]
*[[Hoyoverse]]'s [[Genshin Impact|''Genshin Impact'']] has used a kernel-level anti-cheat since launch.
*Riot Games' Valorant uses an in house kernel-level anticheat called [https://support-valorant.riotgames.com/hc/en-us/articles/360046160933-What-is-Vanguard Vanguard]
*Kuro Games' Wuthering Waves uses a kernel-level anticheat called ACE (Anti-Cheat Expert) since launch.
*Hotta Studios' Tower of Fantasy's history of kernel-level anticheat caused BSOD and would stay even after uninstalling the game.
*Ubisoft developer refused letting Linux gamers launch [https://r6fix.ubi.com/projects/RAINBOW6-SIEGE-LIVE/issues/LIVE-59642 Rainbow Six: Siege] due to kernel-level anticheat.
*Arrowhead Game Studios' Helldivers 2 uses a kernel-level anticheat called [https://www.reddit.com/r/Helldivers/comments/19dp2qw/helldivers_2_nprotect_gameguard_anticheat/ nProtect GameGuard].

==References==
{{Reflist}}

[[Category:Common terms]]

Kernel level anti-cheats

2025-07-02T19:17:01Z

Ednovstormbrewer: /* Added another paragraph to Security Concerns to address history with Hotta Studios and more companies using kernel-level anticheats under Further reading */

'''Kernel-level anti-cheat''' is a subset of anti-cheat dedicated towards running above the user level. These types of anti-cheat, such as [[Easy Anti-Cheat|Easy Anticheat]] (EAC), have grown in popularity among large developers for their online multiplayer games.{{Citation needed}} Alongside this rise in popularity is increasing concern from both consumers regarding their privacy with the use of this software,{{Citation needed}} and from security professionals who recognize the significant risks of kernel-level software being breached.{{Citation needed}}

==How it works==
Kernel level anti-cheats run at the {{Wplink|Kernel (operating system)|kernel level}}; the deepest and most authoritative level of the computer. In layman's terms, this essentially means the software is capable of tracking every process occurring on a computer, and additionally exhibit control if necessary. Alternatives to kernel level anticheat include user level anticheat which runs as a standard process on the player's machine, and server side anticheat which leaves the user's machine untouched and solely operates on the game's servers.

The arms race between hacking and anticheat software has seen hackers better able to circumvent user level anticheat in recent years, pushing more anticheat developers to demand kernel access from players and more developers to require use of a kernel anticheat to access their games.

==Consumer impact summary==
===Privacy concerns===
Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,<ref>{{Cite web |last=Rigney |first=Ryan K. |date=23 Feb 2024 |title=The Gamers Do Not Understand Anti-Cheat |url=https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat |access-date=2025-06-10 |website=Push To Talk}}</ref> this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers to, if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.

===Security concerns===
As kernel-level software holds the highest authorization on the hardware of a user,<ref>{{Cite web |last=Litchfield |first=Ted |date=27 Feb 2024 |title=According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere |url=https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |url-status=live |archive-url=https://web.archive.org/web/20250406200223/https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |archive-date=2025-04-06 |access-date=2025-06-10 |website=PC Gamer}}</ref> this is favorable towards malicious actors.

If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the {{Wplink|operating system}} and {{Wplink|Antivirus software|anti-virus software}}.

This is not a purely hypothetical scenario; it has already taken place in an incident with the popular {{Wplink|Gacha game|gacha}} co-op adventure [[Genshin Impact|''Genshin Impact'']], where the game's anti-cheat '''mhyprot2.sys''<nowiki/>' was hijacked by malicious actors to disable users' anti-virus software, with the intent of distributing {{Wplink|ransomware}}.<ref>{{Cite web |last=Soliven |first=Ryan |last2=Kimura |first2=Hitomi |date=2022-08-24 |title=Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus |url=https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html}}</ref>

Another perfect example is Hotta Studios' Tower of Fantasy game. Users have reported that the kernel-level anticheat 'ksophon_x64.sys' has caused BSOD along with the DPC_WATCHDOG_VIOLATION. This incidents occur when the game is uninstalled, launched, closed, or even running before the new publisher Perfect World Games. As of now, since the update by the company, the file doesn't appear to exist in System32/drivers.

==Further reading==
*[[Electronic Arts|EA]] has a history of using anti-cheats such as [[Easy anti-cheat|EAC]], and recently switched to [[EA moves to in-house kernel-level anti-cheat on PC after purchase|an in-house developed kernel-level anti-cheat]].
*[[Rockstar Games|Rockstar]]'s ''Grand Theft Auto V'' [[GTA 5 moves to kernel-level anti-cheat on PC after purchase|moved to Kernel Level Anti-Cheats.]]
*[[Hoyoverse]]'s [[Genshin Impact|''Genshin Impact'']] has used a kernel-level anti-cheat since launch.
*Riot Games' Valorant uses an in house kernel-level anticheat called [https://support-valorant.riotgames.com/hc/en-us/articles/360046160933-What-is-Vanguard Vanguard]
*Kuro Games' Wuthering Waves uses a kernel-level anticheat called ACE (Anti-Cheat Expert) since launch.
*Hotta Studios' Tower of Fantasy's history of kernel-level anticheat caused BSOD and would stay even after uninstalling the game.
*Some Windows games with kernel-level anticheat has prevented Linux users from launching even with Wine/Proton layer.
*Arrowhead Game Studios' Helldivers 2 uses a kernel-level anticheat called nProtect GameGuard.

==References==
{{Reflist}}

[[Category:Common terms]]

Android

2025-06-10T15:32:46Z

Ednovstormbrewer: /* References */ Revised

{{StubNotice}}
{{InfoboxProductLine
| Title = Android
| Release Year = 2003
| Product Type = Software
| In Production = Yes
| Official Website = https://android.com/
| Logo = Android Logo.png
}}

[[wikipedia:Android_(operating_system)|'''Android''']] is an operating system developed and released by '''[[Google]]''' since 2005. It is based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen-based mobile devices such as smartphones and tablets, but is also used in smart TVs, cameras, in-car infotainment systems, etc.{{Citation needed}}

==Consumer impact summary==
Google, as the developer of Android, has faced scrutiny over privacy concerns, short software support lifespans, patent disputes, and anti-competitive behaviors.{{Citation needed}}

Google encourages the use of their [https://developer.android.com/google/play/integrity/overview Play Integrity API], a mechanism for Android applications to detect whether they are running on a non-OEM version of Android. This is employed mostly to prevent users from running Android versions with anti-consumer features removed, i.e. ads and unconsented data collection. For example, the Android YouTube app which leverages the API to detect whether it has been patched to remove ads, in which case it will refuse to play back videos.

==Incidents==
This is a list of all consumer protection incidents related to this software. Any incidents not mentioned here can be found in the [[:Category:{{PAGENAME}}|{{PAGENAME}} category]].

===Data collection===
{{Main|Android Data Collection}}
Android mobile devices, even when minimally configured, collect and share with Google extensive user data with little options for opting-out, raising privacy concerns.

===Android System Safety Core silent install===
{{Hatnote|Full article: [[Android System SafetyCore]]}}
In January 22, 2025, Google quietly rolled out Android System SafetyCore to all Android devices. The installation of the program neither informed consumers that it was installed, nor did it request consumers to install it onto their devices.

'''OEM Locked Bootloaders'''

''Article:'' [[Motorola]]

In North America, Many of Android devices like phones or tablets will not allow consumers to unlock and do what they want to modify the software. Therefore, it has been incredibly difficult and nearly impossible to root and install custom ROMs into the device unless an exploit has been found.

==References==
<references />
[[Category:{{PAGENAME}}]]

Android

2025-06-10T14:59:21Z

Ednovstormbrewer: /* Incidents */ Added the summary about OEM locked bootloaders

{{StubNotice}}
{{InfoboxProductLine
| Title = Android
| Release Year = 2003
| Product Type = Software
| In Production = Yes
| Official Website = https://android.com/
| Logo = Android Logo.png
}}

[[wikipedia:Android_(operating_system)|'''Android''']] is an operating system developed and released by '''[[Google]]''' since 2005. It is based on a modified version of the Linux kernel and other open-source software, designed primarily for touchscreen-based mobile devices such as smartphones and tablets, but is also used in smart TVs, cameras, in-car infotainment systems, etc.{{Citation needed}}

==Consumer impact summary==
Google, as the developer of Android, has faced scrutiny over privacy concerns, short software support lifespans, patent disputes, and anti-competitive behaviors.{{Citation needed}}

Google encourages the use of their [https://developer.android.com/google/play/integrity/overview Play Integrity API], a mechanism for Android applications to detect whether they are running on a non-OEM version of Android. This is employed mostly to prevent users from running Android versions with anti-consumer features removed, i.e. ads and unconsented data collection. For example, the Android YouTube app which leverages the API to detect whether it has been patched to remove ads, in which case it will refuse to play back videos.

==Incidents==
This is a list of all consumer protection incidents related to this software. Any incidents not mentioned here can be found in the [[:Category:{{PAGENAME}}|{{PAGENAME}} category]].

===Data collection===
{{Main|Android Data Collection}}
Android mobile devices, even when minimally configured, collect and share with Google extensive user data with little options for opting-out, raising privacy concerns.

===Android System Safety Core silent install===
{{Hatnote|Full article: [[Android System SafetyCore]]}}
In January 22, 2025, Google quietly rolled out Android System SafetyCore to all Android devices. The installation of the program neither informed consumers that it was installed, nor did it request consumers to install it onto their devices.

'''OEM Locked Bootloaders'''

In North America, Many of Android phones like Samsung's Snapdragon devices will not allow consumers to unlock their phones and do what they want to modify the software. Therefore, it has been incredibly difficult and nearly impossible to root and install custom ROMs into the device unless an exploit has been found.

==References==
<references />
[[Category:{{PAGENAME}}]]