Like Denuvo DRM or shader compilation stutter, “kernel level anticheat” is one of the most high profile issues dogging PC gaming in recent years. The default position of most gamers is that it’s a crutch used by “lazy devs”, it ruins performance, and could even compromise security. However, after reading games marketing veteran Ryan K. Rigney’s Push to Talk report, in which he interviews multiple professional anticheat experts, it’s clear that the tech’s here to stay regardless.
For the uninitiated, what it means when anticheat is operating at kernel level is that it’s running at the deepest, most authoritative layer of your operating system. Developers appreciate that level of control in detecting and shutting down cheat programs, pre-empting them with a maximum level of system authority. Many consumers understandably take issue with relinquishing that level of control to a third party.
For one instructive example of the power and invasiveness of these tools, look no further than the high profile Destiny raider who lost his account after the game’s anticheat flagged a cheat engine program he had installed for the single player Shogun: Total War 2 and never used on Bungie’s FPS-MMO.
That feeling of intrusion can often result in a tense, sometimes hysterical tone to conversations about the software: review bombs, threats, more “lazy dev” discourse, etc. The experts that Rigney interviewed are clearly well aware of how unpopular kernel level anticheat is with some players. His Odyssey Interactive colleague, software engineer Paul Chamberlain, calls it “a cursed field to work in.”
Riot Games head of anticheat, Phillip Koskinas, argues that developers essentially have to be secretive about how their anticheat works in order to retain every advantage against cheat developers, who are themselves constantly searching for vulnerabilities. That secrecy, though understandable in an arms race against cheats, doesn’t help the tech’s reputation among gamers.
I’m less worried about developers abusing kernel access, and more concerned with potential vulnerabilities introduced for third-party actors to exploit. Rigney cited two examples: the infamous Extended Copy Protection (XCP) from Sony, which bad actors used to compromise affected systems, as well as a backdoor vulnerability introduced by Street Fighter 5’s kernel level anticheat. In 2022, a ransomware developer also took advantage of Genshin Impact’s kernel level anticheat to disable antivirus processes.
However, all the experts Rigney talked to agree on a compelling argument: it’s in a developer’s best interest not to breach customers’ trust by abusing kernel level access or offering a product that negatively impacts their system. Further, they argue that you don’t need kernel level access to do some serious damage to a PC, and I was reminded of FromSoftware’s catastrophic security failure with the entire Soulsborne catalogue on PC (until Elden Ring, FromSoft did not use kernel level anticheat). That vulnerability resulted in the games’ multiplayer modes being shut down for months in 2022.
(Image credit: Capcom)
Unfortunately, being online on any device in 2024 carries risk: Your fridge has experienced a ransomware attack after downloading a new firmware update, someone’s impersonating you on Twitter trying to get Amazon gift cards, and every other email you receive is trying to phish for your bank details. Ape is killing ape in the hour of wolves, baby, and the one thing that’s truly true on the internet is you can’t trust anyone.
“Any software you put on your machine can be used to take it over,” Roblox’s head of anti-cheat, Clint Sereday, explained to Rigney. Chamberlain emphasized the trust factor, noting the level of authority non-kernel level programs still have: “It can do anything you can do. If you can use your webcam, it can use your webcam. Kernel or not kernel, it does not make a difference to the level of danger posed to you by unknown software. The whole argument is kind of a distraction.”
And, at the end of the day, it’s the continued proliferation and profitability of cheating in games that’s driven us to this point. Some gamers even willingly embrace kernel level anticheat for its more certain protection. Public policy researcher Jonathan Hofer wrote last December about FACEIT, a platform with kernel level anticheat that some gamers willingly play Counter-Strike 2 on—the game itself uses other, seemingly less effective forms of anticheat. But another issue is that this platform is owned by the Savvy Gaming Group, which is a subsidiary of the Public Investment Fund of Saudi Arabia, a government well known for digital surveillance and other breaches of privacy.
Much as I personally don’t like it, there is a demand from both players and developers to keep games clean, and the professionals charged with doing so have a clear and understandable incentive to keep using kernel level access—issues aside, it seems undeniable that it is more effective at preventing cheating. I’d say vote with your wallet, but I’m certainly not going to stop playing Elden Ring or Armored Core 6 just because of their use of kernel level Easy Anti-Cheat.