Consumer Rights Wiki

Kernel level anti-cheats: Difference between revisions

← Older edit
VisualWikitext
Bananabot (talk | contribs)
Bots, confirmed
1,114 edits
Added archive URLs for 1 citation(s) using CRWCitationBot
Rudxain (talk | contribs)
confirmed
533 edits
m add code tags
 
(One intermediate revision by the same user not shown)
Line 8: Line 8:
==Consumer impact summary==
==Consumer impact summary==
===Privacy concerns===
===Privacy concerns===
Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,<ref>{{Cite web |last=Rigney |first=Ryan K. |date=23 Feb 2024 |title=The Gamers Do Not Understand Anti-Cheat |url=https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat |access-date=2025-06-10 |website=Push To Talk |archive-url=http://web.archive.org/web/20251215134002/https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat |archive-date=15 Dec 2025}}</ref> this means even if the intended game the software was installed for is not currently running, it retains the capability to track the user's behaviors. This can range from gathering data that could be sold to advertisers to, if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.
Kernel-level anti-cheat has access to every process that runs on a computer, from a simple video running in the background, to processes that may be more private for the user. As this software is designed to run on startup,<ref>{{Cite web |last=Rigney |first=Ryan K. |date=23 Feb 2024 |title=The Gamers Do Not Understand Anti-Cheat |url=https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat |access-date=2025-06-10 |website=Push To Talk |archive-url=http://web.archive.org/web/20251215134002/https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat |archive-date=15 Dec 2025}}</ref> this means even if the intended game the software was installed for is not currently running, it retains the [[Spyware|capability to track]] the user's behaviors. This can range from gathering data that could be sold to advertisers to, if the software itself is hijacked by a malicious actor, the harvesting of sensitive personal information.


===Security concerns===
===Security concerns===
Line 15: Line 15:
If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the {{Wplink|operating system}} and {{Wplink|Antivirus software|anti-virus software}}.
If a malicious actor was to discover a security issue in a kernel level anti-cheat significant enough to allow them to hijack the software, they would be able to directly execute code at its level of access, allowing them to bypass security measures put in place by the {{Wplink|operating system}} and {{Wplink|Antivirus software|anti-virus software}}.


This is not a purely hypothetical scenario; it has already taken place in an incident with the popular {{Wplink|Gacha game|gacha}} co-op adventure [[Genshin Impact|''Genshin Impact'']], where the game's anti-cheat '''mhyprot2.sys''<nowiki/>' was hijacked by malicious actors to disable users' anti-virus software, with the intent of distributing {{Wplink|ransomware}}.<ref>{{Cite web |last=Soliven |first=Ryan |last2=Kimura |first2=Hitomi |date=2022-08-24 |title=Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus |url=https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html |access-date=Aug 4, 2025 |website=Trend |archive-url=http://web.archive.org/web/20260208191733/https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html |archive-date=8 Feb 2026}}</ref>
This is not a purely hypothetical scenario; it has already taken place in an incident with the popular {{Wplink|Gacha game|gacha}} co-op adventure [[Genshin Impact|''Genshin Impact'']], where the game's anti-cheat <code>mhyprot2.sys</code> was hijacked by malicious actors to disable users' anti-virus software, with the intent of distributing {{Wplink|ransomware}}.<ref>{{Cite web |last=Soliven |first=Ryan |last2=Kimura |first2=Hitomi |date=2022-08-24 |title=Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus |url=https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html |access-date=Aug 4, 2025 |website=Trend |archive-url=http://web.archive.org/web/20260208191733/https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html |archive-date=8 Feb 2026}}</ref>


Another perfect example is Hotta Studios' Tower of Fantasy game. Users have reported that the kernel-level anticheat 'ksophon_x64.sys' has caused [[wikipedia:Blue_screen_of_death|BSOD]] along with the DPC_WATCHDOG_VIOLATION. This incident occurs when the game is uninstalled, launched, closed, or even running before the new publisher Perfect World Games. As of now, since the update by the company, the file doesn't appear to exist in System32/drivers.
Another perfect example is Hotta Studios' Tower of Fantasy game. Users have reported that the kernel-level anticheat <code>ksophon_x64.sys</code> has caused [[wikipedia:Blue_screen_of_death|BSOD]] along with the <code>DPC_WATCHDOG_VIOLATION</code>. This incident occurs when the game is uninstalled, launched, closed, or even running before the new publisher Perfect World Games. As of now, since the update by the company, the file doesn't appear to exist in <code>System32/drivers</code>.


===Support issues===
===Support issues===
Retrieved from "https://mirror.consumerrights.wiki/w/Kernel_level_anti-cheats"