Kernel Level Anti-Cheats: Difference between revisions

(13 intermediate revisions by 11 users not shown)

Line 1:

~~{{Stub}}~~

'''Kernel-level anti-cheat''' is a subset of anti-cheat dedicated towards running above the user level. These types of anti-cheat, such as [[Easy Anti-Cheat|Easy Anticheat]] (EAC), have grown in popularity among large developers for their online multiplayer games.{{Citation needed}} <!-- A comprehensive list of KL-AC to flip through:

~~{{Placeholder box|Add a 2-3 sentence introduction starting with e.g. "~~'''~~{{PAGENAME}}~~''' is a practice in which businesses ... When writing the article, insert text in the space below this box, and then delete this tip box (and the other tip boxes below). In the visual editor, just click on a box and press backspace to delete it. In the source editor, simply delete the double curly brackets, and the text inside them.}}

https://levvvel.com/games-with-kernel-level-anti-cheat-software/ -->Alongside this rise in popularity is increasing concern from both consumers regarding their privacy with the use of this software,{{Citation needed}} and from security professionals who recognize the significant risks of kernel-level software being breached.{{Citation needed}}

~~Kernel Level Anti-Cheats are~~ anti-cheat ~~software that boot and run at the kernel level instead of~~ the ~~typical~~ user level. These ~~methods~~ of anti-~~cheats~~ have ~~recently become more popular~~ among ~~big~~ online ~~service~~ games. ~~They are controversial because~~ of privacy and security ~~concerns~~.

==How it works==

Kernel level anti-cheats run at the {{Wplink|Kernel (operating system)|kernel level}}; the deepest and most authoritative level of the computer. In layman's terms, this essentially means the software is capable of tracking every process occurring on a computer, and additionally exhibit control if necessary. Alternatives to kernel level anticheat include user level anticheat which runs as a standard process on the player's machine, and server side anticheat which leaves the user's machine untouched and solely operates on the game's servers.

~~==Why it~~ is a ~~problem==~~

~~{{Placeholder box|If~~ the ~~theme or common term is positive for~~ the ~~consumer this section can be omitted~~.

~~===Point 1===~~

~~===Point 2===~~

The arms race between hacking and anticheat software has seen hackers better able to circumvent user level anticheat in recent years, pushing more anticheat developers to demand kernel access from players and more developers to require use of a kernel anticheat to access their games.

}}

=== Privacy ~~Concerns~~ ===

==Consumer impact summary==

~~lorem ipsum~~

===Privacy concerns===

Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,<ref>{{Cite web |last=Rigney |first=Ryan K. |date=23 Feb 2024 |title=The Gamers Do Not Understand Anti-Cheat |url=https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat |access-date=2025-06-10 |website=Push To Talk}}</ref> this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers to, if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.

=== Security ~~Concerns~~ ===

===Security concerns===

~~Kernel~~ level ~~anti-cheats run at~~ the ~~kernel level,~~ the ~~deepest and most authoritative level~~ of ~~the computer. They are software that have access to everything the computer is doing. This is in contrast to traditional, user level anti-cheats, which only had access to~~ user-level permissions and therefore could not detect certain cheat engines which were cleverly hidden. However, since Kernel Level anti-cheats are at the kernel level, if they can be hijacked and exploited, ~~they create a massive security issue at the kernel level. This has happened with [[Genshin Impact]]. Hackers hijacked the anti-cheat and delivered ransomware.~~<ref>{{Cite web |last=~~Soliven~~ |first=~~Ryan~~ |~~last2~~=~~Kimura~~ |~~first2~~=~~Hitomi~~ |~~date~~=~~2022~~-08-24 |~~title~~=~~Ransomware Actor Abuses Genshin Impact Anti~~-~~Cheat Driver to Kill Antivirus |~~url=https://~~www~~.~~trendmicro~~.~~com~~/~~en_us~~/~~research~~/22/h/~~ransomware~~-~~actor~~-~~abuses~~-~~genshin~~-~~impact~~-~~anti~~-~~cheat~~-~~driver~~-to-~~kill~~-~~antivirus.html~~}}</ref>

As kernel-level software holds the highest authorization on the hardware of a user,<ref>{{Cite web |last=Litchfield |first=Ted |date=27 Feb 2024 |title=According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere |url=https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |url-status=live |archive-url=https://web.archive.org/web/20250406200223/https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |archive-date=2025-04-06 |access-date=2025-06-10 |website=PC Gamer}}</ref> this is favorable towards malicious actors.

~~==Examples==~~

If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the {{Wplink|operating system}} and {{Wplink|Antivirus software|anti-virus software}}.

{{~~Placeholder box~~|~~Some examples of~~ {{~~PAGENAME~~}} ~~include:~~

*

This is not a purely hypothetical scenario; it has already taken place in an incident with the popular {{Wplink|Gacha game|gacha}} co-op adventure [[Genshin Impact|''Genshin Impact'']], where the game's anti-cheat '''mhyprot2.sys''<nowiki/>' was hijacked by malicious actors to disable users' anti-virus software, with the intent of distributing {{Wplink|ransomware}}.<ref>{{Cite web |last=Soliven |first=Ryan |last2=Kimura |first2=Hitomi |date=2022-08-24 |title=Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus |url=https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html}}</ref>

*

*}}

*[[Electronic Arts|EA]] has recently [[EA moves to in-house kernel-level ~~anti-cheat on PC after purchase|moved to Kernel Level Anti-Cheats]]~~.

Another perfect example is Hotta Studios' Tower of Fantasy game. Users have reported that the kernel-level anticheat 'ksophon_x64.sys' has caused BSOD along with the DPC_WATCHDOG_VIOLATION. This incident occurs when the game is uninstalled, launched, closed, or even running before the new publisher Perfect World Games. As of now, since the update by the company, the file doesn't appear to exist in System32/drivers.

*GTA V has ~~recently [[GTA 5 moves to kernel-level anti-cheat on PC after purchase|moved to Kernel Level Anti-Cheats~~.]]

*[[Genshin Impact]] has moved to ~~Kernel Level Anti-Cheats~~.

==Further reading==

*[[Electronic Arts|EA]] has a history of using anti-cheats such as [[Easy anti-cheat|EAC]], and recently switched to [[EA moves to in-house kernel-level anti-cheat on PC after purchase|an in-house developed kernel-level anti-cheat]].

*[[Rockstar Games|Rockstar]]'s ''Grand Theft Auto V'' [[GTA 5 moves to kernel-level anti-cheat on PC after purchase|moved to Kernel Level Anti-Cheats.]]

*[[Hoyoverse]]'s [[Genshin Impact|''Genshin Impact'']] has used a kernel-level anti-cheat since launch.

*Riot Games' Valorant uses an in house kernel-level anticheat called [https://support-valorant.riotgames.com/hc/en-us/articles/360046160933-What-is-Vanguard Vanguard]

*Kuro Games' Wuthering Waves uses a kernel-level anticheat called ACE (Anti-Cheat Expert) since launch.

*Hotta Studios' Tower of Fantasy's history of kernel-level anticheat caused BSOD and would stay even after uninstalling the game.

*Ubisoft uses BattlEye kernel-level anticheat for [https://r6fix.ubi.com/projects/RAINBOW6-SIEGE-LIVE/issues/LIVE-59642 Rainbow Six: Siege] which prevents Linux gamers from launching it even after paying for it.

*Arrowhead Game Studios' Helldivers 2 uses a kernel-level anticheat called [https://www.reddit.com/r/Helldivers/comments/19dp2qw/helldivers_2_nprotect_gameguard_anticheat/ nProtect GameGuard].

==References==

[[Category:Common terms]]

@@ Line 1: / Line 1: @@
-{{Stub}}
+'''Kernel-level anti-cheat''' is a subset of anti-cheat dedicated towards running above the user level. These types of anti-cheat, such as [[Easy Anti-Cheat|Easy Anticheat]] (EAC), have grown in popularity among large developers for their online multiplayer games.{{Citation needed}} <!-- A comprehensive list of KL-AC to flip through:
-{{Placeholder box|Add a 2-3 sentence introduction starting with e.g. "'''{{PAGENAME}}''' is a practice in which businesses ... When writing the article, insert text in the space below this box, and then delete this tip box (and the other tip boxes below). In the visual editor, just click on a box and press backspace to delete it. In the source editor, simply delete the double curly brackets, and the text inside them.}}
+https://levvvel.com/games-with-kernel-level-anti-cheat-software/ -->Alongside this rise in popularity is increasing concern from both consumers regarding their privacy with the use of this software,{{Citation needed}} and from security professionals who recognize the significant risks of kernel-level software being breached.{{Citation needed}}
-Kernel Level Anti-Cheats are anti-cheat software that boot and run at the kernel level instead of the typical user level. These methods of anti-cheats have recently become more popular among big online service games. They are controversial because of privacy and security concerns.
 ==How it works==
-{{Placeholder box|How the practice works.}}
+Kernel level anti-cheats run at the {{Wplink|Kernel (operating system)|kernel level}}; the deepest and most authoritative level of the computer. In layman's terms, this essentially means the software is capable of tracking every process occurring on a computer, and additionally exhibit control if necessary. Alternatives to kernel level anticheat include user level anticheat which runs as a standard process on the player's machine, and server side anticheat which leaves the user's machine untouched and solely operates on the game's servers.
-==Why it is a problem==
-{{Placeholder box|If the theme or common term is positive for the consumer this section can be omitted.
-===Point 1===
-===Point 2===
+The arms race between hacking and anticheat software has seen hackers better able to circumvent user level anticheat in recent years, pushing more anticheat developers to demand kernel access from players and more developers to require use of a kernel anticheat to access their games.
-}}
-=== Privacy Concerns ===
+==Consumer impact summary==
-lorem ipsum
+===Privacy concerns===
+Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,<ref>{{Cite web |last=Rigney |first=Ryan K. |date=23 Feb 2024 |title=The Gamers Do Not Understand Anti-Cheat |url=https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat |access-date=2025-06-10 |website=Push To Talk}}</ref> this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers to, if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.
-=== Security Concerns ===
+===Security concerns===
-Kernel level anti-cheats run at the kernel level, the deepest and most authoritative level of the computer. They are software that have access to everything the computer is doing. This is in contrast to traditional, user level anti-cheats, which only had access to user-level permissions and therefore could not detect certain cheat engines which were cleverly hidden. However, since Kernel Level anti-cheats are at the kernel level, if they can be hijacked and exploited, they create a massive security issue at the kernel level. This has happened with [[Genshin Impact]]. Hackers hijacked the anti-cheat and delivered ransomware.<ref>{{Cite web |last=Soliven |first=Ryan |last2=Kimura |first2=Hitomi |date=2022-08-24 |title=Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus |url=https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html}}</ref>
+As kernel-level software holds the highest authorization on the hardware of a user,<ref>{{Cite web |last=Litchfield |first=Ted |date=27 Feb 2024 |title=According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere |url=https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |url-status=live |archive-url=https://web.archive.org/web/20250406200223/https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |archive-date=2025-04-06 |access-date=2025-06-10 |website=PC Gamer}}</ref> this is favorable towards malicious actors.
-==Examples==
+If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the {{Wplink|operating system}} and {{Wplink|Antivirus software|anti-virus software}}.
-{{Placeholder box|Some examples of {{PAGENAME}} include:
-*
+This is not a purely hypothetical scenario; it has already taken place in an incident with the popular {{Wplink|Gacha game|gacha}} co-op adventure [[Genshin Impact|''Genshin Impact'']], where the game's anti-cheat '''mhyprot2.sys''<nowiki/>' was hijacked by malicious actors to disable users' anti-virus software, with the intent of distributing {{Wplink|ransomware}}.<ref>{{Cite web |last=Soliven |first=Ryan |last2=Kimura |first2=Hitomi |date=2022-08-24 |title=Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus |url=https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html}}</ref>
-*
-*}}
-*[[Electronic Arts|EA]] has recently [[EA moves to in-house kernel-level anti-cheat on PC after purchase|moved to Kernel Level Anti-Cheats]].
+Another perfect example is Hotta Studios' Tower of Fantasy game. Users have reported that the kernel-level anticheat 'ksophon_x64.sys' has caused BSOD along with the DPC_WATCHDOG_VIOLATION. This incident occurs when the game is uninstalled, launched, closed, or even running before the new publisher Perfect World Games. As of now, since the update by the company, the file doesn't appear to exist in System32/drivers.
-*GTA V has recently [[GTA 5 moves to kernel-level anti-cheat on PC after purchase|moved to Kernel Level Anti-Cheats.]]
-*[[Genshin Impact]] has moved to Kernel Level Anti-Cheats.
+==Further reading==
+*[[Electronic Arts|EA]] has a history of using anti-cheats such as [[Easy anti-cheat|EAC]], and recently switched to [[EA moves to in-house kernel-level anti-cheat on PC after purchase|an in-house developed kernel-level anti-cheat]].
+*[[Rockstar Games|Rockstar]]'s ''Grand Theft Auto V'' [[GTA 5 moves to kernel-level anti-cheat on PC after purchase|moved to Kernel Level Anti-Cheats.]]
+*[[Hoyoverse]]'s [[Genshin Impact|''Genshin Impact'']] has used a kernel-level anti-cheat since launch.
+*Riot Games' Valorant uses an in house kernel-level anticheat called [https://support-valorant.riotgames.com/hc/en-us/articles/360046160933-What-is-Vanguard Vanguard]
+*Kuro Games' Wuthering Waves uses a kernel-level anticheat called ACE (Anti-Cheat Expert) since launch.
+*Hotta Studios' Tower of Fantasy's history of kernel-level anticheat caused BSOD and would stay even after uninstalling the game.
+*Ubisoft uses BattlEye kernel-level anticheat for [https://r6fix.ubi.com/projects/RAINBOW6-SIEGE-LIVE/issues/LIVE-59642 Rainbow Six: Siege] which prevents Linux gamers from launching it even after paying for it.
+*Arrowhead Game Studios' Helldivers 2 uses a kernel-level anticheat called [https://www.reddit.com/r/Helldivers/comments/19dp2qw/helldivers_2_nprotect_gameguard_anticheat/ nProtect GameGuard].
 ==References==
-{{reflist}}
+{{Reflist}}
 [[Category:Common terms]]