Kernel Level Anti-Cheats: Difference between revisions

Revision as of 23:00, 16 June 2025

Kernel-level anti-cheat is a subset of anti-cheat dedicated towards running above the user level. These types of anti-cheat, such as Easy Anticheat (EAC), have grown in popularity among large developers for their online multiplayer games.^{[citation needed]} Alongside this rise in popularity is increasing concern from both consumers regarding their privacy with the use of this software,^{[citation needed]} and from security professionals who recognize the significant risks of kernel-level software being breached.^{[citation needed]}

How it works

Kernel level anti-cheats run at the kernel level; the deepest and most authoritative level of the computer. In layman's terms, this essentially means the software is capable of tracking every process occurring on a computer, and additionally exhibit control if necessary. This is contrary to previous anti-cheats, which only had permissions so high as the user-level, which some cheating software exhibited forms of circumvention.

Consumer impact summary

Privacy concerns

Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,^[1] this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers to, if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.

Security concerns

As kernel-level software holds the highest authorization on the hardware of a user,^[2] this is favorable towards malicious actors.

If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the operating system and anti-virus software.

This is not a purely hypothetical scenario; it has already taken place in an incident with the popular gacha co-op adventure Genshin Impact, where the game's anti-cheat 'mhyprot2.sys' was hijacked by malicious actors to disable users' anti-virus software, with the intent of distributing ransomware.^[3]

References

↑ Rigney, Ryan K. (23 Feb 2024). "The Gamers Do Not Understand Anti-Cheat". Push To Talk. Retrieved 2025-06-10.
↑ Litchfield, Ted (27 Feb 2024). "According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere". PC Gamer. Archived from the original on 2025-04-06. Retrieved 2025-06-10.
↑ Soliven, Ryan; Kimura, Hitomi (2022-08-24). "Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus".

[1] Rigney, Ryan K. (23 Feb 2024). "The Gamers Do Not Understand Anti-Cheat". Push To Talk. Retrieved 2025-06-10.

[2] Litchfield, Ted (27 Feb 2024). "According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere". PC Gamer. Archived from the original on 2025-04-06. Retrieved 2025-06-10.

[3] Soliven, Ryan; Kimura, Hitomi (2022-08-24). "Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus".

[1]

[2]

[3]

@@ Line 1: / Line 1: @@
-Kernel-level anti-cheat is a subset of anti-cheat dedicated towards running above the user level. These types of anti-cheat, such as [[Easy Anti-Cheat|Easy Anticheat]] (EAC), have grown in popularity among large developers for their online multiplayer games.{{Citation needed}} <!-- A comprehensive list of KL-AC to flip through:
+'''Kernel-level anti-cheat''' is a subset of anti-cheat dedicated towards running above the user level. These types of anti-cheat, such as [[Easy Anti-Cheat|Easy Anticheat]] (EAC), have grown in popularity among large developers for their online multiplayer games.{{Citation needed}} <!-- A comprehensive list of KL-AC to flip through:
 https://levvvel.com/games-with-kernel-level-anti-cheat-software/ -->Alongside this rise in popularity is increasing concern from both consumers regarding their privacy with the use of this software,{{Citation needed}} and from security professionals who recognize the significant risks of kernel-level software being breached.{{Citation needed}}
 ==How it works==
-Kernel level anti-cheats run at the kernel level; the deepest and most authoritative level of the computer. In layman's terms, this essentially means the software is capable of tracking every process occurring on a computer, and additionally exhibit control if necessary. This is contrary to previous anti-cheats, which only had permissions so high as the user-level, which some cheating software exhibited forms of circumvention.
+Kernel level anti-cheats run at the {{Wplink|Kernel (operating system)|kernel level}}; the deepest and most authoritative level of the computer. In layman's terms, this essentially means the software is capable of tracking every process occurring on a computer, and additionally exhibit control if necessary. This is contrary to previous anti-cheats, which only had permissions so high as the user-level, which some cheating software exhibited forms of circumvention.
-==Why it is a problem==
+==Consumer impact summary==
-===Privacy Concerns===
+===Privacy concerns===
-Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,<ref>{{Cite web |last=Rigney |first=Ryan K. |date=23 Feb 2024 |title=The Gamers Do Not Understand Anti-Cheat |url=https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat |access-date=2025-06-10 |website=Push To Talk}}</ref> this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers, or if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.
+Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,<ref>{{Cite web |last=Rigney |first=Ryan K. |date=23 Feb 2024 |title=The Gamers Do Not Understand Anti-Cheat |url=https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat |access-date=2025-06-10 |website=Push To Talk}}</ref> this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers to, if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.
-===Security Concerns===
+===Security concerns===
-Kernel-level software holds the highest authorization on the hardware of a user,<ref>{{Cite web |last=Litchfield |first=Ted |date=27 Feb 2024 |title=According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere |url=https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |url-status=live |archive-url=https://web.archive.org/web/20250406200223/https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |archive-date=2025-04-06 |access-date=2025-06-10 |website=PC Gamer}}</ref> this is favorable towards malicious actors.
+As kernel-level software holds the highest authorization on the hardware of a user,<ref>{{Cite web |last=Litchfield |first=Ted |date=27 Feb 2024 |title=According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere |url=https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |url-status=live |archive-url=https://web.archive.org/web/20250406200223/https://www.pcgamer.com/according-to-experts-on-kernel-level-anticheat-two-things-are-abundantly-clear-1-its-not-perfect-and-2-its-not-going-anywhere/ |archive-date=2025-04-06 |access-date=2025-06-10 |website=PC Gamer}}</ref> this is favorable towards malicious actors.
-If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the operating system and anti-virus software.
+If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the {{Wplink|operating system}} and {{Wplink|Antivirus software|anti-virus software}}.
-This is not a purely hypothetical scenario; it has already taken place in an incident with the popular gacha co-op adventure [[Genshin Impact|''Genshin Impact'']], where the game's anti-cheat '''mhyprot2.sys''<nowiki/>' was hijacked by malicious actors to disable users' Antivirus software, with the intent of distributing ransomware.<ref>{{Cite web |last=Soliven |first=Ryan |last2=Kimura |first2=Hitomi |date=2022-08-24 |title=Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus |url=https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html}}</ref>
+This is not a purely hypothetical scenario; it has already taken place in an incident with the popular {{Wplink|Gacha game|gacha}} co-op adventure [[Genshin Impact|''Genshin Impact'']], where the game's anti-cheat '''mhyprot2.sys''<nowiki/>' was hijacked by malicious actors to disable users' anti-virus software, with the intent of distributing {{Wplink|ransomware}}.<ref>{{Cite web |last=Soliven |first=Ryan |last2=Kimura |first2=Hitomi |date=2022-08-24 |title=Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus |url=https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html}}</ref>
-==Examples==
+==Further reading==
 *[[Electronic Arts|EA]] has a history of using anti-cheats such as [[Easy anti-cheat|EAC]], and recently switched to [[EA moves to in-house kernel-level anti-cheat on PC after purchase|an in-house developed kernel-level anti-cheat]].
 *[[Rockstar Games|Rockstar]]'s ''Grand Theft Auto V'' [[GTA 5 moves to kernel-level anti-cheat on PC after purchase|moved to Kernel Level Anti-Cheats.]]
 *[[Hoyoverse]]'s [[Genshin Impact|''Genshin Impact'']] has used a kernel-level anti-cheat since launch.
 ==References==
-{{reflist}}
+{{Reflist}}
 [[Category:Common terms]]