Kernel Level Anti-Cheats: Difference between revisions
Mandle Rex (talk | contribs) →How it works: fixed grammar |
m removed a word |
||
| (4 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
Kernel-level anti-cheat is a subset of anti-cheat dedicated towards running above the user level. These types of anti-cheat, such as [[Easy Anti-Cheat|Easy Anticheat]] (EAC), have grown in popularity among large developers for their online multiplayer games.{{Citation needed}} <!-- A comprehensive list of KL-AC to flip through: | |||
https://levvvel.com/games-with-kernel-level-anti-cheat-software/ -->Alongside this rise in popularity is increasing concern from both consumers regarding their privacy with the use of this software,{{Citation needed}} and from security professionals who recognize the significant risks of kernel-level software being breached.{{Citation needed}} | |||
==How it works== | ==How it works== | ||
Kernel level anti-cheats run at the kernel level | Kernel level anti-cheats run at the kernel level; the deepest and most authoritative level of the computer. In layman's terms, this essentially means the software is capable of tracking every process occurring on a computer, and additionally exhibit control if necessary. This is contrary to previous anti-cheats, which only had permissions so high as the user-level, which some cheating software exhibited forms of circumvention. | ||
==Why it is a problem== | ==Why it is a problem== | ||
===Privacy Concerns=== | ===Privacy Concerns=== | ||
Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,<ref>{{Cite web |last=Rigney |first=Ryan K. |date=23 Feb 2024 |title=The Gamers Do Not Understand Anti-Cheat |url=https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat |access-date=2025-06-10 |website=Push To Talk}}</ref> this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers, or if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information. | |||
===Security Concerns=== | ===Security Concerns=== | ||
Kernel-level software holds the highest authorization on the hardware of a user,<ref>{{Cite web |last=Litchfield |first=Ted |date=27 Feb 2024 |title=According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere |url=https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |url-status=live |archive-url=https://web.archive.org/web/20250406200223/https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |archive-date=2025-04-06 |access-date=2025-06-10 |website=PC Gamer}}</ref> this is favorable towards malicious actors. | |||
If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the operating system and anti-virus software. | |||
This is not a purely hypothetical scenario; it has already taken place in an incident with the popular gacha co-op adventure [[Genshin Impact|''Genshin Impact'']], where the game's anti-cheat '''mhyprot2.sys''<nowiki/>' was hijacked by malicious actors to disable users' Antivirus software, with the intent of distributing ransomware.<ref>{{Cite web |last=Soliven |first=Ryan |last2=Kimura |first2=Hitomi |date=2022-08-24 |title=Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus |url=https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html}}</ref> | |||
==Examples== | ==Examples== | ||
*[[Electronic Arts|EA]] has recently [[EA moves to in-house kernel-level anti-cheat on PC after purchase| | *[[Electronic Arts|EA]] has a history of using anti-cheats such as [[Easy anti-cheat|EAC]], and recently switched to [[EA moves to in-house kernel-level anti-cheat on PC after purchase|an in-house developed kernel-level anti-cheat]]. | ||
* | *[[Rockstar Games|Rockstar]]'s ''Grand Theft Auto V'' [[GTA 5 moves to kernel-level anti-cheat on PC after purchase|moved to Kernel Level Anti-Cheats.]] | ||
*[[Genshin Impact]] has | *[[Hoyoverse]]'s [[Genshin Impact|''Genshin Impact'']] has used a kernel-level anti-cheat since launch. | ||
Latest revision as of 03:14, 11 June 2025
Kernel-level anti-cheat is a subset of anti-cheat dedicated towards running above the user level. These types of anti-cheat, such as Easy Anticheat (EAC), have grown in popularity among large developers for their online multiplayer games.[citation needed] Alongside this rise in popularity is increasing concern from both consumers regarding their privacy with the use of this software,[citation needed] and from security professionals who recognize the significant risks of kernel-level software being breached.[citation needed]
How it works[edit | edit source]
Kernel level anti-cheats run at the kernel level; the deepest and most authoritative level of the computer. In layman's terms, this essentially means the software is capable of tracking every process occurring on a computer, and additionally exhibit control if necessary. This is contrary to previous anti-cheats, which only had permissions so high as the user-level, which some cheating software exhibited forms of circumvention.
Why it is a problem[edit | edit source]
Privacy Concerns[edit | edit source]
Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,[1] this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers, or if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.
Security Concerns[edit | edit source]
Kernel-level software holds the highest authorization on the hardware of a user,[2] this is favorable towards malicious actors.
If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the operating system and anti-virus software.
This is not a purely hypothetical scenario; it has already taken place in an incident with the popular gacha co-op adventure Genshin Impact, where the game's anti-cheat 'mhyprot2.sys' was hijacked by malicious actors to disable users' Antivirus software, with the intent of distributing ransomware.[3]
Examples[edit | edit source]
- EA has a history of using anti-cheats such as EAC, and recently switched to an in-house developed kernel-level anti-cheat.
- Rockstar's Grand Theft Auto V moved to Kernel Level Anti-Cheats.
- Hoyoverse's Genshin Impact has used a kernel-level anti-cheat since launch.
References[edit | edit source]
- ↑ Rigney, Ryan K. (23 Feb 2024). "The Gamers Do Not Understand Anti-Cheat". Push To Talk. Retrieved 2025-06-10.
- ↑ Litchfield, Ted (27 Feb 2024). "According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere". PC Gamer. Archived from the original on 2025-04-06. Retrieved 2025-06-10.
- ↑ Soliven, Ryan; Kimura, Hitomi (2022-08-24). "Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus".