Kernel mode anti-cheat is problematic again and I hate it.

pbs.twimg.com/media/GyDIMLhW4AAsiti?format=jpg&name=large
archie-osu.github.io/2025/04/11/vanguard-research.html
reversing.info/posts/guardedregions

:::spoiler summerizer

Summary

The video discusses the growing conflict and challenges posed by kernel-level anti-cheat software used in modern gaming. The speaker highlights a recent incident where Battlefield 6’s beta would not install if Riot Games’ Valorant (which uses the Vanguard anti-cheat) was installed on the same PC. This incompatibility arises because Vanguard and other kernel-level anti-cheats run with high system privileges, hooking deeply into the operating system to detect cheating but also causing potential conflicts and security concerns.

Kernel-level anti-cheats operate at the highest privilege level (kernel mode) of a computer’s operating system, allowing them to monitor and intervene in software operations but also exposing the system to privacy risks and vulnerabilities. Riot’s Vanguard is particularly invasive, running continuously from boot and intercepting system calls, which can create conflicts with other anti-cheat systems like EA’s Easy Anti-Cheat. This has led to situations where games cannot coexist on the same machine due to conflicting kernel hooks and memory manipulations.

The video also delves into the broader implications of this trend: the fragmentation of anti-cheat systems across publishers, the invasion of user privacy, and the increased attack surface for malware exploitation through these privileged programs. The speaker references past incidents (such as ransomware exploiting anti-cheat vulnerabilities and the CrowdStrike Falcon EDR crash) to underline the dangers of running security software at the kernel level.

Finally, the video touches on Microsoft’s efforts to mitigate these risks by creating APIs that move security functions out of kernel mode, though it remains unclear how effective or soon these solutions will be. The overall message is a cautionary note about the current state of gaming anti-cheat technology, its impact on user experience, privacy, and system security, and a call for awareness among gamers.

Highlights

• ️ Battlefield 6 beta refuses to install if Valorant (with Riot Vanguard) is present on the PC.
• ️ Kernel-level anti-cheats operate at the highest OS privilege, deeply integrating with system functions.
• Riot Vanguard is one of the most invasive anti-cheats, running continuously from boot and hooking system calls.
• ️ Conflicts between different kernel-level anti-cheats can cause system instability and game incompatibility.
• ️ Privacy concerns arise as anti-cheats have access to detailed system and user data.
• 🦠 Malware has exploited anti-cheat vulnerabilities to disable antivirus protections.
• ️ Microsoft is working on reducing kernel-level code in security software to improve safety and stability.

Key Insights

• ️ Kernel-Level Anti-Cheats Provide Deep System Access but Introduce Risks:
  Kernel mode is the most privileged execution level in an OS, allowing anti-cheat software to monitor and block cheats effectively by inspecting memory and processes at a low level. However, this power comes with significant risks, including system instability, privacy breaches, and security vulnerabilities if the anti-cheat software is flawed or maliciously exploited.

• ️ Anti-Cheat Software Conflicts Create a Fragmented Gaming Ecosystem:
  Every major game publisher has developed their own kernel-level anti-cheat solution with different hooking methods and system call interceptions. This leads to conflicts when multiple anti-cheats coexist, as seen with Battlefield 6 and Valorant. Such fragmentation forces gamers to choose between games or even maintain separate computers for different titles—an unacceptable consumer experience.

• Riot Vanguard’s Invasiveness Highlights the Extremes of Kernel Anti-Cheats:
  Unlike most anti-cheats that only activate when a game runs, Vanguard installs as a boot-time driver, constantly running in the background. It hooks into system calls, intercepting critical OS functions and dynamically swapping memory pages to evade detection or inspection. This level of system control is unprecedented, raising serious concerns about privacy and potential misuse.

• ️‍️ Privacy Concerns Are Elevated by Kernel-Level Anti-Cheats:
  Because these anti-cheats run with broad privileges, they can potentially monitor all system activities, not just those related to cheating. This raises questions about what data is collected, how it is transmitted, and the extent to which user privacy is protected. Without transparency and strict controls, users remain vulnerable to unauthorized surveillance.

• 🦠 Security Vulnerabilities in Anti-Cheats Are Exploited by Malware:
  The speaker highlights a real-world example where ransomware exploited an anti-cheat vulnerability in Genshin Impact to disable antivirus software. Such attacks exploit the privileged position of anti-cheats to bypass normal security measures, making the presence of kernel-level anti-cheats a double-edged sword—protecting games while potentially exposing systems to new threats.

• Microsoft’s Efforts to Limit Kernel-Level Code Could Improve Security Posture:
  The video references Microsoft’s work to develop APIs that would allow antivirus and anti-cheat functions to operate outside kernel mode, reducing the attack surface and improving system stability. Although details are scarce, this could mark a turning point in balancing security with system safety for gamers and general users alike.

• The Future of Gaming Security May Require Rethinking Anti-Cheat Architecture:
  With the current “land war” over kernel hook points and the increasing complexity of kernel-level anti-cheats, the gaming industry faces a critical juncture. The ideal anti-cheat would be effective without compromising system security or user privacy, possibly necessitating standardized approaches, better collaboration among publishers, or innovative technical solutions that avoid kernel mode altogether.

Additional Analysis

The video underscores a major tension between the need for robust anti-cheat mechanisms and the inherent risks of deeply invasive software. Kernel-level anti-cheats are a natural response to increasingly sophisticated cheating methods, but their privileged access means any flaw or abuse could have catastrophic effects on a user’s system.

The incompatibility between different anti-cheats reflects a lack of industry coordination. This is a serious issue since gamers expect to install and play multiple games on one machine without fearing crashes or installation blocks. The analogy of a “land war” inside the kernel vividly illustrates how different companies’ software competes for control over critical system functions, sometimes to the detriment of system stability.

Moreover, the privacy concerns raised cannot be overstated. Kernel-mode software is effectively a “superuser” on a PC, and without stringent safeguards, it might act as a surveillance tool under the guise of security. Gamers, often unaware of these technical underpinnings, face unseen risks.

The malware example serves as a cautionary tale about unintended consequences. Security software designed to protect can inadvertently open backdoors if not carefully engineered. This highlights the need for rigorous security audits and transparency from publishers.

Microsoft’s involvement offers some hope, suggesting that operating system vendors recognize these dangers and are seeking to architect safer solutions. However, the complexity of kernel-level programming and the performance demands of real-time cheat detection mean that any transition away from kernel mode will be challenging.

In conclusion, the video provides an insightful and technical perspective on a critical yet under-discussed issue in modern gaming. It calls for greater awareness, improved industry cooperation, and a reevaluation of how anti-cheat technologies are developed to balance fairness, privacy, and security in the gaming ecosystem.
:::