Kernel Level Anti-Cheats

Kernel-level anti-cheat is a subset of anti-cheat dedicated towards running above the user level. These types of anti-cheat, such as Easy Anticheat (EAC), have grown in popularity among large developers for their online multiplayer games.^{[citation needed]} Alongside this rise in popularity is increasing concern from both consumers regarding their privacy with the use of this software,^{[citation needed]} and from security professionals who recognize the significant risks of kernel-level software being breached.^{[citation needed]}

How it works edit

Kernel level anti-cheats run at the kernel level; the deepest and most authoritative level of the computer. In layman's terms, this essentially means the software is capable of tracking every process occurring on a computer, and additionally exhibit control if necessary. Alternatives to kernel level anticheat include user level anticheat which runs as a standard process on the player's machine, and server side anticheat which leaves the user's machine untouched and solely operates on the game's servers.

The arms race between hacking and anticheat software has seen hackers better able to circumvent user level anticheat in recent years, pushing more anticheat developers to demand kernel access from players and more developers to require use of a kernel anticheat to access their games.

Consumer impact summary edit

Privacy concerns edit

Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,^[1] this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers to, if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.

Security concerns edit

As kernel-level software holds the highest authorization on the hardware of a user,^[2] this is favorable towards malicious actors.

If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the operating system and anti-virus software.

This is not a purely hypothetical scenario; it has already taken place in an incident with the popular gacha co-op adventure Genshin Impact, where the game's anti-cheat 'mhyprot2.sys' was hijacked by malicious actors to disable users' anti-virus software, with the intent of distributing ransomware.^[3]

References edit

↑ Rigney, Ryan K. (23 Feb 2024). "The Gamers Do Not Understand Anti-Cheat". Push To Talk. Retrieved 2025-06-10.
↑ Litchfield, Ted (27 Feb 2024). "According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere". PC Gamer. Archived from the original on 2025-04-06. Retrieved 2025-06-10.
↑ Soliven, Ryan; Kimura, Hitomi (2022-08-24). "Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus".

[1] Rigney, Ryan K. (23 Feb 2024). "The Gamers Do Not Understand Anti-Cheat". Push To Talk. Retrieved 2025-06-10.

[2] Litchfield, Ted (27 Feb 2024). "According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere". PC Gamer. Archived from the original on 2025-04-06. Retrieved 2025-06-10.

[3] Soliven, Ryan; Kimura, Hitomi (2022-08-24). "Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus".

[1]

[2]

[3]