Kernel Level Anti-Cheats

Kernel-level anti-cheat is a subset of anti-cheat dedicated towards running above the user level. These types of anti-cheat, such as Easy Anticheat (EAC), have grown in popularity among large developers for their online multiplayer games.^{[citation needed]} Alongside this rise in popularity is additionally an increasing concern from both consumers regarding their privacy with the use of this software,^{[citation needed]} and from security professionals who recognize the significant risks of kernel-level software being breached.^{[citation needed]}

How it works

Kernel level anti-cheats run at the kernel level; the deepest and most authoritative level of the computer. In layman's terms, this essentially means the software is capable of tracking every process occurring on a computer, and additionally exhibit control if necessary. This is contrary to previous anti-cheats, which only had permissions so high as the user-level, which some cheating software exhibited forms of circumvention.

Why it is a problem

Privacy Concerns

Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,^[1] this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers, or if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.

Security Concerns

Kernel-level software holds the highest authorization on the hardware of a user,^[2] this is favorable towards malicious actors.

If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the operating system and anti-virus software.

This is not a purely hypothetical scenario; it has already taken place in an incident with the popular gacha co-op adventure Genshin Impact, where the game's anti-cheat 'mhyprot2.sys' was hijacked by malicious actors to disable users' Antivirus software, with the intent of distributing ransomware.^[3]

Examples

EA has a history of using anti-cheats such as EAC, and recently switched to an in-house developed kernel-level anti-cheat.
Rockstar's Grand Theft Auto V moved to Kernel Level Anti-Cheats.
Hoyoverse's Genshin Impact has used a kernel-level anti-cheat since launch.

References

↑ Rigney, Ryan K. (23 Feb 2024). "The Gamers Do Not Understand Anti-Cheat". Push To Talk. Retrieved 2025-06-10.
↑ Litchfield, Ted (27 Feb 2024). "According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere". PC Gamer. Archived from the original on 2025-04-06. Retrieved 2025-06-10.
↑ Soliven, Ryan; Kimura, Hitomi (2022-08-24). "Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus".

[1] Rigney, Ryan K. (23 Feb 2024). "The Gamers Do Not Understand Anti-Cheat". Push To Talk. Retrieved 2025-06-10.

[2] Litchfield, Ted (27 Feb 2024). "According to experts on kernel level anticheat, two things are abundantly clear: 1) It's not perfect and 2) It's not going anywhere". PC Gamer. Archived from the original on 2025-04-06. Retrieved 2025-06-10.

[3] Soliven, Ryan; Kimura, Hitomi (2022-08-24). "Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus".

[1]

[2]

[3]